Re: Pete Finnigan's Oracle database password checker

  • From: "Andre van Winssen" <dreveewee@xxxxxxxxx>
  • To: oracle-l@xxxxxxxxxxxxx
  • Date: Fri, 10 Oct 2008 12:13:14 +0200

the slow part of the plsql code is the Brute Force attack. That can hardly
compete with real password crackers written in C(++). You can reduce the
pain of doing a brute force attack by changing the line with
 *passlen:=4*;   -- need to restrict to 4 so that it takes around 35 secs
 *passlen:=2*;   -- need to restrict to 2 so that it takes around 1 sec

you can extend the dictionary list with your own words as pointed out by

For those not well versed in plsql (not many in this list I'd guess) here's
a small explanation of how the plsql code works:
from a list of cleartext passwords it generates the hash and compares that
with the oracle hash stored in the SYS.USER$ column. If the hash matches
then it means you found the clear text password. It's as simple as that. The
algorithm for calculating the oracle password hash was been known in the
public area for years. But now Pete implemented it in this plsql procedure.
That is the added value because now you can easily run the cracker as an
oracle database job.
You may also want to change the output it generates. Certain companies won't
allow you to publish real passwords. This certainly applies to sox
databases. So instead of the password itself you might change the procedure
so that it returns the string 'WEAK' or 'BAD' or simliar.

Kind regards,

Other related posts: