Re: getting users passwords in plain text
- From: "Mark Brinsmead" <pythianbrinsmead@xxxxxxxxx>
- To: vincent.verpoort@xxxxxxxxx
- Date: Sat, 20 Oct 2007 18:53:05 -0600
Vincent,
A number of the prior responses to your question have suggested --
perhaps not clearly enough -- that you can change a users password, and then
put it back to the original value without ever having known what it was.
There is no known way (thankfully!) to extract plain-text passwords for
all database users. You can, however, do the following:
SQL> CONNECT / AS SYSDBA
SQL> SELECT PASSWORD FROM DBA_USERS WHERE USERNAME = 'YOUR_USER';
SQL> ALTER USER YOUR_USER IDENTIFIED BY "some-password-you-know";
SQL> CONNECT YOUR_USER/some-password-you-know
do what you need to do...
SQL> CONNECT / AS SYSDBA
SQL> ALTER USER YOUR_USER IDENTIFIED BY VALUES 'AABFEC8902AFB'; /*You did
write down the old password hash, right?*/
The PASSWORD returned by the SELECT statement is -- of course -- the
HASHED password. No use to you, right? Wrong! You can directly set a
user's password to a particular HASHED value using ALTER USER ... IDENTIFIED
BY VALUES ...
With luck, this technique should meet your needs, although you might be
well advised to get some approvals before you proceed with even this.
Altering users passwords without proper authorization is likely to violate
corporate policy in most places ( i.e., "get you *ss fired"), and may break
the law in many jurisdictions (i.e., get your *ss thrown in jail).
Certainly, extracting plain-text passwords from a database is likely to
violate the law in most places, so even if it were possible, you would be
nuts to do this.
I agree with Mark Powell -- there should be no reason that you require
users' password. To be completely honest, if you have some kind of
maintenance procedure that requires you to log in to the database as many
different users (whose passwords you are not entitled to know) then I think
you should probably concentrate on fixing your procedures rather than
sticking with something that risks getting your *ss fired and/or
imprisoned. At the very least, if you go with the method described above, I
would advise you to have written authorisations from everybody in sight,
including (at the very least) the director of your HR department, your
corporate security officer, and probably the CEO.
On 10/16/07, Vincent verpoort < vincent.verpoort@xxxxxxxxx> wrote:
>
> Hi Experts,
>
> I have a question that's a bit unethical.
>
> For a company i'm working for i need to find out what the passwords are of
> oracle users. As changing them means a lot of work for allot of poeple.
>
> Is there anyway i can clear text the password from dba database, i have
> sysdba and all privs.
>
> any points would be nice also i want to put this into script so if anyone
> has something ?
>
> --
> Vincent Verpoort
>
> ,.-~`"'~-.,_,.-~`"'~-.,_,.-~`"'~-.,_,.-~`"'~-.,_,.-~`"'~-.,_
> Communiceren is begrepen worden
> ^*<-._,.->*^*<-._,.->*^*<-._,.->*^*<-._,.->*^*<-._,.->*^*<-.
>
>
--
Cheers,
-- Mark Brinsmead
Senior DBA,
The Pythian Group
http://www.pythian.com/blogs
Other related posts:
