I found this documentation which confirms that 10g onwards client is encrypting the passwords: http://download.oracle.com/docs/cd/B19306_01/win.102/b14304/admin.htm#sthref294 My other question still stays open.. is there a toned down version of ASO (40 or 56-bit) encryption available for free? Thanks -Upendra From: nupendra@xxxxxxxxxxx To: oracle-l@xxxxxxxxxxxxx Subject: Clear text credentials? Date: Tue, 1 Mar 2011 14:38:26 -0500 Hello guys, Question.. When someone connects from Host_A to Host_B and if the communication is not encrypted using Advanced Security Option (ASO) or a similar mechanism, would the user credentials be sent in Clear Text? If so, is there a way to secure it? The requirement is to protect the username/password without using ASO/SSH Tunnel. If my memory serves correctly, a lower version of ASO (40 or 56-bit) encryption is available for free? Is that true? Your feedback is appreciated. Thanks -Upendra