RE: getting users passwords in plain text

  • From: "Elliott, Patrick" <patrick.elliott@xxxxxxxxxxxxx>
  • To: "vincent.verpoort@xxxxxxxxx" <vincent.verpoort@xxxxxxxxx>, Oracle-L Freelists <oracle-l@xxxxxxxxxxxxx>
  • Date: Tue, 16 Oct 2007 09:06:42 -0500

The only way I know of is in 9i and lower, and then only if there is a database 
link.  The SYS.LINK$ table contains clear text passwords for database links to 
a remote database.  Otherwise you could get a copy of the official scrabble 
password dictionary OSPD and write a pl/sql package to hack the passwords.  If 
the passwords are strong ones, then this will be really difficult.  If the 
users are entering their own passwords and you are not enforcing strong 
passwords, then you might try just the usernames as passwords and see what you 
get.  Try the following in sqlplus:

set pages 0
set head off
set feed off
spool password_check.sql
select 'connect '||username||'/'||username
  from dba_users;
spool off
set feed on
spool password_check.log
spool off

Then look for any "Connected" messages.

This was a problem for us until we implemented strong password restrictions in 
our databases.  The above won't work if you are also.

You might try mixing up the password a bit also, like adding numbers to the 
end, or changing some of the letters to numbers.


From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On 
Behalf Of Vincent verpoort
Sent: Tuesday, October 16, 2007 8:14 AM
To: Oracle-L Freelists
Subject: getting users passwords in plain text

Hi Experts,

I have a question that's a bit unethical.

For a company i'm working for i need to find out what the passwords are of 
oracle users. As changing them means a lot of work for allot of poeple.

Is there anyway i can clear text the password from dba database, i have sysdba 
and all privs.

any points would be nice also i want to put this into script so if anyone has 
something ?

                           Vincent Verpoort

              Communiceren is begrepen worden

Information transmitted by this email is proprietary to Medtronic and is 
intended for use only by the individual or entity to which it is addressed, and 
may contain information that is private, privileged, confidential or exempt 
from disclosure under applicable law. If you are not the intended recipient or 
it appears that this mail has been forwarded to you without proper authority, 
you are notified that any use or dissemination of this information in any 
manner is strictly prohibited. In such cases, please delete this mail from your 

To view this notice in other languages you can either select the following link 
or manually copy and paste the link into the address bar of a web browser:

Other related posts: