RE: password

There may be a much better way.  Most apps in their config file do have
the encrypted password along with a line that tells the app server if
the password has been encrypted or not, so:
 
    1) schedule some downtime for the app.
    2) Make a backup copy of the config file
    3) replace the encrypted password in the config file with an un
encrypted value and reset the encrypted line to false or 0, whichever
the app uses.
    4) Find the current encrypted password in the database & save that
somewhere, just in case.
    5) Change the password to the one in step 3
    6) Restart the app & verify that you can login.
 
Your fall back is things don't go right is to 
 
    1) restore the config file
    2) Use the alter user <> identified by values statement to reset the
db password.
 

Dick Goulet 
Senior Oracle DBA/NA Team Lead 
PAREXEL International 

 

________________________________

From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Robert Freeman
Sent: Tuesday, March 23, 2010 10:11 AM
To: howard.latham@xxxxxxxxx; RStorey@xxxxxxxxxxxxxxxxxx
Cc: oracle-l-freelists
Subject: Re: password


That was my first thought but the brutal truth is that there are plenty
of brute force cracking tools out there. I think that DBA's need to
understand the security risks that face them... we need to be honest and
wide open about these. Then maybe we will stop using passwords like dude
or secret and the like and consider some real security.

In fact, a well done presentation that demonstrates the vulnerability of
an existing database using publicly available hacking tools is often
very eye opening to management types if you are trying to secure a
database and such management types are hesitant to spend the time/money.

RF


 
Robert G. Freeman
Master Principal Consultant, Oracle Corporation
Oracle ACE
Author:
Oracle Database 11g RMAN Backup and Recovery (Oracle Press) - ON ITS WAY
SOON!
OCP: Oracle Database 11g Administrator Certified Professional Study
Guide (Sybex)
Oracle Database 11g New Features (Oracle Press)
Oracle Database 10g New Features (Oracle Press)
Other various titles
Blog: http://robertgfreeman.blogspot.com 


________________________________

From: Howard Latham <howard.latham@xxxxxxxxx>
To: RStorey@xxxxxxxxxxxxxxxxxx
Cc: oracle-l-freelists <oracle-l@xxxxxxxxxxxxx>
Sent: Tue, March 23, 2010 6:19:26 AM
Subject: Re: password

not wishing to cast any doubt upon anybody  in this case however in
similar circumstances how can we be sure we are NOT helping someone HACK
into a system? 



On 23 March 2010 13:07, Storey, Robert (DCSO)
<RStorey@xxxxxxxxxxxxxxxxxx> wrote:


        Do you know how it was encrypted?  Is the front end using an
encryption scheme or a vendor supplied encryption tool? 

         

        From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Zelli, Brian
        Sent: Tuesday, March 23, 2010 7:46 AM
        To: 'Holvoet, Jo'; oracle-l-freelists
        Subject: RE: password

         

        No it is encrypted.

         

         

         

        ciao,

        Brian

         

        Brian J. Zelli, Ed.M.

        Sr. Database Administrator

        Enterprise Application/Systems Integration

        Information Technology - Roswell Park Cancer Institute

        phone: (716) 845-4460 email: brian.zelli@xxxxxxxxxxxxxxx

         

         

         

________________________________

        From: Holvoet, Jo [mailto:jo.holvoet@xxxxxxxxxxxxx] 
        Sent: Tuesday, March 23, 2010 8:42 AM
        To: Zelli, Brian; oracle-l-freelists
        Subject: RE: password

        If the apps use it, can't you find it back on the app side ? If
not in the code, then in a config type file maybe ?

         

        mvg / regards,

        Jo Holvoet

________________________________

        From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Zelli, Brian
        Sent: dinsdag 23 maart 2010 13:38
        To: oracle-l-freelists
        Subject: password

         

        I lost the password for a schema user that runs applications.  I
can't change it because it will crash the apps.  How can I figure out
what it was?  Does anyone have a hack script that can reveal it?

         

         

        ciao,

        Brian

         

         

         

        
        This email message may contain legally privileged and/or
confidential information. If you are not the intended recipient(s), or
the employee or agent responsible for the delivery of this message to
the intended recipient(s), you are hereby notified that any disclosure,
copying, distribution, or use of this email message is prohibited. If
you have received this message in error, please notify the sender
immediately by e-mail and delete this email message from your computer.
Thank you.

        
        This email message may contain legally privileged and/or
confidential information. If you are not the intended recipient(s), or
the employee or agent responsible for the delivery of this message to
the intended recipient(s), you are hereby notified that any disclosure,
copying, distribution, or use of this email message is prohibited. If
you have received this message in error, please notify the sender
immediately by e-mail and delete this email message from your computer.
Thank you. 




-- 
Howard A. Latham



Other related posts: