RE: getting users passwords in plain text
- From: "Powell, Mark D" <mark.powell@xxxxxxx>
- To: "Oracle-L Freelists" <oracle-l@xxxxxxxxxxxxx>
- Date: Fri, 19 Oct 2007 15:56:41 -0400
I see no reason why the user passwords are needed.
A DBA can on 10.2 create objects under that belong to the user and
perform grants on the users objects without having to logon as the user.
(Yes private database links and a couple of objects require using the
user id still but most DBA activity no longer requires switching to
being the user)
What was the reason given for needing the user passwords?
There is a way for a privileged user to change a user's password and
change it back without ever knowing what it was to begin with. This
technique has been posted before.
-- Mark D Powell --
Phone (313) 592-5148
________________________________
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of John Darrah
Sent: Friday, October 19, 2007 1:25 PM
To: vincent.verpoort@xxxxxxxxx
Cc: Oracle-L Freelists
Subject: Re: getting users passwords in plain text
What version of the database? It sounds like you need to
connect as these users but don't know the passwords. First as was
stated above, its a one way hash so you can't get plain text passwords
from hash other than by brute force. Here are your options.
1) log in as a DBA user and type alter session set
current_schema=<user>. This won't actually make you the user but you
will be able to see the objects in that schema without typing the
<user>.object_name
2) if your on on 10.2, you can create a proxy user that connects
through the user who's password you don't know. google oracle "proxy
users" or "connect through". once this user is setup you can sqlplus
into the user who's password you don't know.
On 10/16/07, Vincent verpoort <vincent.verpoort@xxxxxxxxx>
wrote:
I think i was not very clear in my email
What i want is to convert the original hashed password
to plain text. I need to know that passwords because if i change them
now, the weblogic guys need a weekend to rest them all.
And as we don't have the time because where doing a release on
production systems,
this weekend i need the passwords of the users.
changing them means that during the installion of new
attributes we can't keep the pools open. editing the install to run it
from the system user means we have to
go back to the testing servers first and redo all
testing.
About the "I have a question that's a bit unethical. "
The user's are appliction weblogic connection pool
users. thats why its a bit unethical and not allot or illegal
Also because these are appliction connection users i
can't brute force them as it would not be in time unlesse i got about
7.8 year per user
and the big question
I just got here and the dba before me, well lets put it
this way: knew the stuff but didn't put it down anywhere. And doesn't
really wanne help anymore. why? don't ask me.
tomorrow ill be at work again and ill give
http://www.petefinnigan.com/weblog/archives/archive-102007.html ( see
october 9th : thanks Paul Drake ) a try, ill update this mail chain with
my findings.
and thank you for all the info it really helped
if anyone has anymore info or a quick fix please email
On 10/16/07, Vincent verpoort <
vincent.verpoort@xxxxxxxxx <mailto:vincent.verpoort@xxxxxxxxx> > wrote:
i thought of doing a insert into mytable values
(username,password); in the
$ORACLE_HOME/rdbms/admin/utlpwdmg.sql
<http://download-uk.oracle.com/docs/cd/B10501_01/server.920/a96536/ch53.
htm#1005955> but i don't wanne edit or write anything more looking for
a scritp that converts the hase to plain text
On 10/16/07, Sweetser, Joe <JSweetser@xxxxxxxx >
wrote:
Not exactly sure what you want to do,
but you might google for the undocumented "alter user XXX identified by
values..." command. It will let you set the passwords back to what they
were without knowing them.
hth,
-joe
________________________________
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto: oracle-l-bounce@xxxxxxxxxxxxx
<mailto:oracle-l-bounce@xxxxxxxxxxxxx> ] On Behalf Of Vincent verpoort
Sent: Tuesday, October 16, 2007 7:14 AM
To: Oracle-L Freelists
Subject: getting users passwords in
plain text
Hi Experts,
I have a question that's a bit
unethical.
For a company i'm working for i need to
find out what the passwords are of oracle users. As changing them means
a lot of work for allot of poeple.
Is there anyway i can clear text the
password from dba database, i have sysdba and all privs.
any points would be nice also i want to
put this into script so if anyone has something ?
--
Vincent
Verpoort
,.-~`"'~-.,_,.-~`"'~-.,_,.-~`"'~-.,_,.-~`"'~-.,_,.-~`"'~-.,_
Communiceren is begrepen
worden
^*<-._,.->*^*<-._,.->*^*<-._,.->*^*<-._,.->*^*<-._,.->*^*<-.
--
Vincent Verpoort
,.-~`"'~-.,_,.-~`"'~-.,_,.-~`"'~-.,_,.-~`"'~-.,_,.-~`"'~-.,_
Communiceren is begrepen worden
^*<-._,.->*^*<-._,.->*^*<-._,.->*^*<-._,.->*^*<-._,.->*^*<-.
--
Vincent Verpoort
,.-~`"'~-.,_,.-~`"'~-.,_,.-~`"'~-.,_,.-~`"'~-.,_,.-~`"'~-.,_
Communiceren is begrepen worden
^*<-._,.->*^*<-._,.->*^*<-._,.->*^*<-._,.->*^*<-._,.->*^*<-.
Other related posts:
