RE: getting users passwords in plain text
- From: <Joel.Patterson@xxxxxxxxxxx>
- To: <pythianbrinsmead@xxxxxxxxx>, <vincent.verpoort@xxxxxxxxx>
- Date: Mon, 22 Oct 2007 08:18:19 -0400
Actually, you can change it back immediately after logging in. (users
can change their own password). However, that is probably besides the
point.
Joel Patterson
Database Administrator
joel.patterson@xxxxxxxxxxx
x72546
904 727-2546
________________________________
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Mark Brinsmead
Sent: Saturday, October 20, 2007 8:53 PM
To: vincent.verpoort@xxxxxxxxx
Cc: Oracle-L Freelists
Subject: Re: getting users passwords in plain text
Vincent,
A number of the prior responses to your question have suggested --
perhaps not clearly enough -- that you can change a users password, and
then put it back to the original value without ever having known what it
was.
There is no known way (thankfully!) to extract plain-text passwords
for all database users. You can, however, do the following:
SQL> CONNECT / AS SYSDBA
SQL> SELECT PASSWORD FROM DBA_USERS WHERE USERNAME = 'YOUR_USER';
SQL> ALTER USER YOUR_USER IDENTIFIED BY "some-password-you-know";
SQL> CONNECT YOUR_USER/some-password-you-know
do what you need to do...
SQL> CONNECT / AS SYSDBA
SQL> ALTER USER YOUR_USER IDENTIFIED BY VALUES 'AABFEC8902AFB'; /*You
did write down the old password hash, right?*/
The PASSWORD returned by the SELECT statement is -- of course -- the
HASHED password. No use to you, right? Wrong! You can directly set a
user's password to a particular HASHED value using ALTER USER ...
IDENTIFIED BY VALUES ...
With luck, this technique should meet your needs, although you might
be well advised to get some approvals before you proceed with even this.
Altering users passwords without proper authorization is likely to
violate corporate policy in most places ( i.e., "get you *ss fired"),
and may break the law in many jurisdictions (i.e., get your *ss thrown
in jail). Certainly, extracting plain-text passwords from a database is
likely to violate the law in most places, so even if it were possible,
you would be nuts to do this.
I agree with Mark Powell -- there should be no reason that you
require users' password. To be completely honest, if you have some kind
of maintenance procedure that requires you to log in to the database as
many different users (whose passwords you are not entitled to know) then
I think you should probably concentrate on fixing your procedures rather
than sticking with something that risks getting your *ss fired and/or
imprisoned. At the very least, if you go with the method described
above, I would advise you to have written authorisations from everybody
in sight, including (at the very least) the director of your HR
department, your corporate security officer, and probably the CEO.
On 10/16/07, Vincent verpoort < vincent.verpoort@xxxxxxxxx
<mailto:vincent.verpoort@xxxxxxxxx> > wrote:
Hi Experts,
I have a question that's a bit unethical.
For a company i'm working for i need to find out what the passwords are
of oracle users. As changing them means a lot of work for allot of
poeple.
Is there anyway i can clear text the password from dba database, i have
sysdba and all privs.
any points would be nice also i want to put this into script so if
anyone has something ?
--
Vincent Verpoort
,.-~`"'~-.,_,.-~`"'~-.,_,.-~`"'~-.,_,.-~`"'~-.,_,.-~`"'~-.,_
Communiceren is begrepen worden
^*<-._,.->*^*<-._,.->*^*<-._,.->*^*<-._,.->*^*<-._,.->*^*<-.
--
Cheers,
-- Mark Brinsmead
Senior DBA,
The Pythian Group
http://www.pythian.com/blogs
Other related posts:
