That was my first thought but the brutal truth is that there are plenty of brute force cracking tools out there. I think that DBA's need to understand the security risks that face them... we need to be honest and wide open about these. Then maybe we will stop using passwords like dude or secret and the like and consider some real security. In fact, a well done presentation that demonstrates the vulnerability of an existing database using publicly available hacking tools is often very eye opening to management types if you are trying to secure a database and such management types are hesitant to spend the time/money. RF Robert G. Freeman Master Principal Consultant, Oracle Corporation Oracle ACE Author: Oracle Database 11g RMAN Backup and Recovery (Oracle Press) - ON ITS WAY SOON! OCP: Oracle Database 11g Administrator Certified Professional Study Guide (Sybex) Oracle Database 11g New Features (Oracle Press) Oracle Database 10g New Features (Oracle Press) Other various titles Blog: http://robertgfreeman.blogspot.com ________________________________ From: Howard Latham <howard.latham@xxxxxxxxx> To: RStorey@xxxxxxxxxxxxxxxxxx Cc: oracle-l-freelists <oracle-l@xxxxxxxxxxxxx> Sent: Tue, March 23, 2010 6:19:26 AM Subject: Re: password not wishing to cast any doubt upon anybody in this case however in similar circumstances how can we be sure we are NOT helping someone HACK into a system? On 23 March 2010 13:07, Storey, Robert (DCSO) <RStorey@xxxxxxxxxxxxxxxxxx> wrote: > > > > > > > > > >> >> >Do you know how it was encrypted? Is the front end using an >encryption scheme or a vendor supplied encryption tool? > >> >> >From:oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On >Behalf Of Zelli, Brian >Sent: Tuesday, March 23, 2010 7:46 AM >To: 'Holvoet, Jo'; oracle-l-freelists >Subject: RE: password >> > >No it is encrypted. >> > > >> > >ciao, >Brian > >Brian >J. Zelli, Ed.M. >Sr. >Database Administrator >Enterprise >Application/Systems Integration >Information >Technology - Roswell Park Cancer Institute >phone: >(716) 845-4460 email: brian.zelli@xxxxxxxxxxxxxxx >> > >> > > >> ________________________________ > >From:Holvoet, Jo >[mailto:jo.holvoet@xxxxxxxxxxxxx] >Sent: Tuesday, March 23, 2010 8:42 AM >To: Zelli, Brian; oracle-l-freelists >Subject: RE: password >If the apps use it, can’t you find it back on the app side ? If not >in the code, then in a config type file maybe ? > >> >mvg / regards, >Jo Holvoet >> >> ________________________________ > >From:oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On >Behalf Of Zelli, Brian >Sent: dinsdag 23 maart 2010 13:38 >To: oracle-l-freelists >Subject: password > >> >I >lost the password for a schema user that runs applications. I can't >change it because it will crash the apps. How can I figure out what it >was? Does anyone have a hack script that can reveal it? >> > >> > >ciao, >Brian > >> > >> > > >>This email message may contain legally privileged and/or confidential >information. If you are not the intended recipient(s), or the employee or agent >responsible for the delivery of this message to the intended recipient(s), you >are hereby notified that any disclosure, copying, distribution, or use of this >email message is prohibited. If you have received this message in error, please >notify the sender immediately by e-mail and delete this email message from your >computer. Thank you. > >>This email message may contain legally privileged and/or confidential >information. If you are not the intended recipient(s), or the employee or agent >responsible for the delivery of this message to the intended recipient(s), you >are hereby notified that any disclosure, copying, distribution, or use of this >email message is prohibited. If you have received this message in error, please >notify the sender immediately by e-mail and delete this email message from your >computer. Thank you. -- Howard A. Latham