--> Re: Oracle73 Password Encryption Function

Printable View

01-29-2002, 03:49 PM
Jeffrey Nuestro

--> Re: Oracle73 Password Encryption Function

dnagel,

thanks for the feedback.

yup the user enters the new password normally (in English). i need to apply
oracle's encryption routine to it in order to compare it with the stored
user password in oracles system tables.

"dnagel" <GrandNagel@hotmail.com> wrote:
>Not too experienced with encrypted passwords in Oracle...
>
>Are you saying that the user needs to enter an encrypted string
>or the the user enters it normally and you are looking to compare
>the hashed password that Oracle stores in its system tables to your
>privately hashed password from the users input?
>
>In the latter case, I would imagine you won't have much luck.
>
>I'm curious... D?
>
>
>"Jeffrey Nuestro" <jnuestro@yahoo.com> wrote in message
>news:3c5620b5$1@10.1.10.29...
>>
>> I have an application interfacing with Oracle 7.3
>>
>> I need to compare the new password, inputted using the application, to
the
>> existing oracle user password which is encrypted.
>>
>> Is there an oracle encryption function which I can use to encrypt the
new
>> password so I could compare it with the encrypted oracle user password?
>>
>
>
01-29-2002, 04:56 PM
dnagel

Re: --> Re: Oracle73 Password Encryption Function

As stated, I have alimited background with Oracle internals,
but to my knowledge, there are no means for using their
routines to 're-scramble' the password.

have a look here...

http://rr.sans.org/appsec/oracle.php

this looked interesting too...

http://www.orafaq.com/faqdbase.htm#INTERNAL

"Jeffrey Nuestro" <jnuestro@yahoo.com> wrote in message
news:3c570af6$1@10.1.10.29...
>
> dnagel,
>
> thanks for the feedback.
>
> yup the user enters the new password normally (in English). i need to
apply
> oracle's encryption routine to it in order to compare it with the stored
> user password in oracles system tables.
>
> "dnagel" <GrandNagel@hotmail.com> wrote:
> >Not too experienced with encrypted passwords in Oracle...
> >
> >Are you saying that the user needs to enter an encrypted string
> >or the the user enters it normally and you are looking to compare
> >the hashed password that Oracle stores in its system tables to your
> >privately hashed password from the users input?
> >
> >In the latter case, I would imagine you won't have much luck.
> >
> >I'm curious... D?
> >
> >
> >"Jeffrey Nuestro" <jnuestro@yahoo.com> wrote in message
> >news:3c5620b5$1@10.1.10.29...
> >>
> >> I have an application interfacing with Oracle 7.3
> >>
> >> I need to compare the new password, inputted using the application, to
> the
> >> existing oracle user password which is encrypted.
> >>
> >> Is there an oracle encryption function which I can use to encrypt the
> new
> >> password so I could compare it with the encrypted oracle user password?
> >>
> >
> >
>
01-29-2002, 08:40 PM
Jeffrey Nuestro

Re: --> Re: Oracle73 Password Encryption Function

dnagel,

again thank you very much for the feedback.

the two links you have provided, made available specific alternatives to
what I had initially in mind.

I will try to make full use of the following items listed from orafaq.com
which speaks of managing passwords through profiles.

PASSWORD_LIFE_TIME - limits the number of days the same password can be used
for authentication
PASSWORD_REUSE_TIME - number of days before a password can be reused
PASSWORD_REUSE_MAX - number of password changes required before the current
password can be reused

I'll apprise you guys with the result of my tests.

"dnagel" <GrandNagel@hotmail.com> wrote:
>As stated, I have alimited background with Oracle internals,
>but to my knowledge, there are no means for using their
>routines to 're-scramble' the password.
>
>have a look here...
>
>http://rr.sans.org/appsec/oracle.php
>
>this looked interesting too...
>
>http://www.orafaq.com/faqdbase.htm#INTERNAL
>
>"Jeffrey Nuestro" <jnuestro@yahoo.com> wrote in message
>news:3c570af6$1@10.1.10.29...
>>
>> dnagel,
>>
>> thanks for the feedback.
>>
>> yup the user enters the new password normally (in English). i need to
>apply
>> oracle's encryption routine to it in order to compare it with the stored
>> user password in oracles system tables.
>>
>> "dnagel" <GrandNagel@hotmail.com> wrote:
>> >Not too experienced with encrypted passwords in Oracle...
>> >
>> >Are you saying that the user needs to enter an encrypted string
>> >or the the user enters it normally and you are looking to compare
>> >the hashed password that Oracle stores in its system tables to your
>> >privately hashed password from the users input?
>> >
>> >In the latter case, I would imagine you won't have much luck.
>> >
>> >I'm curious... D?
>> >
>> >
>> >"Jeffrey Nuestro" <jnuestro@yahoo.com> wrote in message
>> >news:3c5620b5$1@10.1.10.29...
>> >>
>> >> I have an application interfacing with Oracle 7.3
>> >>
>> >> I need to compare the new password, inputted using the application,
to
>> the
>> >> existing oracle user password which is encrypted.
>> >>
>> >> Is there an oracle encryption function which I can use to encrypt the
>> new
>> >> password so I could compare it with the encrypted oracle user password?
>> >>
>> >
>> >
>>
>
>
01-30-2002, 10:07 PM
Jeffrey Nuestro

Re: --> Re: Oracle73 Password Encryption Function

I have already tried using the items listed in my previous posting for oracle's
password management but it seems these items are not supported in Oracle73
and suit only Oracle8

ORA-00922: missing or invalid option
SQLWKS> create profile hello LIMIT
2> PASSWORD_LIFE_TIME 30
3> PASSWORD_REUSE_TIME 365
4> PASSWORD_REUSE_MAX 100;
PASSWORD_LIFE_TIME 30
*
ORA-02376: invalid or redundant resource

I also tried listing the resources available:

SQLWKS> select name from SYS.RESOURCE_MAP
2>
NAME
--------------------------------
COMPOSITE_LIMIT
SESSIONS_PER_USER
CPU_PER_SESSION
CPU_PER_CALL
LOGICAL_READS_PER_SESSION
LOGICAL_READS_PER_CALL
IDLE_TIME
CONNECT_TIME
PRIVATE_SGA
9 rows selected.

The password items are not present in this list when I think they should
be. Is this an Oracle version issue?
Does these password management items for Oracle8 have an equivalent in Oracle73?
Can you help me out with these items?

"Jeffrey Nuestro" <jnuestro@yahoo.com> wrote:
>
>dnagel,
>
>again thank you very much for the feedback.
>
>the two links you have provided, made available specific alternatives to
>what I had initially in mind.
>
>I will try to make full use of the following items listed from orafaq.com
>which speaks of managing passwords through profiles.
>
>PASSWORD_LIFE_TIME - limits the number of days the same password can be
used
>for authentication
>PASSWORD_REUSE_TIME - number of days before a password can be reused
>PASSWORD_REUSE_MAX - number of password changes required before the current
>password can be reused
>
>I'll apprise you guys with the result of my tests.
>
>"dnagel" <GrandNagel@hotmail.com> wrote:
>>As stated, I have alimited background with Oracle internals,
>>but to my knowledge, there are no means for using their
>>routines to 're-scramble' the password.
>>
>>have a look here...
>>
>>http://rr.sans.org/appsec/oracle.php
>>
>>this looked interesting too...
>>
>>http://www.orafaq.com/faqdbase.htm#INTERNAL
>>
>>"Jeffrey Nuestro" <jnuestro@yahoo.com> wrote in message
>>news:3c570af6$1@10.1.10.29...
>>>
>>> dnagel,
>>>
>>> thanks for the feedback.
>>>
>>> yup the user enters the new password normally (in English). i need to
>>apply
>>> oracle's encryption routine to it in order to compare it with the stored
>>> user password in oracles system tables.
>>>
>>> "dnagel" <GrandNagel@hotmail.com> wrote:
>>> >Not too experienced with encrypted passwords in Oracle...
>>> >
>>> >Are you saying that the user needs to enter an encrypted string
>>> >or the the user enters it normally and you are looking to compare
>>> >the hashed password that Oracle stores in its system tables to your
>>> >privately hashed password from the users input?
>>> >
>>> >In the latter case, I would imagine you won't have much luck.
>>> >
>>> >I'm curious... D?
>>> >
>>> >
>>> >"Jeffrey Nuestro" <jnuestro@yahoo.com> wrote in message
>>> >news:3c5620b5$1@10.1.10.29...
>>> >>
>>> >> I have an application interfacing with Oracle 7.3
>>> >>
>>> >> I need to compare the new password, inputted using the application,
>to
>>> the
>>> >> existing oracle user password which is encrypted.
>>> >>
>>> >> Is there an oracle encryption function which I can use to encrypt
the
>>> new
>>> >> password so I could compare it with the encrypted oracle user password?
>>> >>
>>> >
>>> >
>>>
>>
>>
>
01-30-2002, 10:08 PM
Jeffrey Nuestro

Re: --> Re: Oracle73 Password Encryption Function

I have already tried using the items listed in my previous posting for oracle's
password management but it seems these items are not supported in Oracle73
and suit only Oracle8

The following items were captured from my Oracle Worksheet screen.

ORA-00922: missing or invalid option
SQLWKS> create profile hello LIMIT
2> PASSWORD_LIFE_TIME 30
3> PASSWORD_REUSE_TIME 365
4> PASSWORD_REUSE_MAX 100;
PASSWORD_LIFE_TIME 30
*
ORA-02376: invalid or redundant resource

I also tried listing the resources available:

SQLWKS> select name from SYS.RESOURCE_MAP
2>
NAME
--------------------------------
COMPOSITE_LIMIT
SESSIONS_PER_USER
CPU_PER_SESSION
CPU_PER_CALL
LOGICAL_READS_PER_SESSION
LOGICAL_READS_PER_CALL
IDLE_TIME
CONNECT_TIME
PRIVATE_SGA
9 rows selected.

The password items are not present in this list when I think they should
be. Is this an Oracle version issue?
Does these password management items for Oracle8 have an equivalent in Oracle73?
Can you help me out with these items?

"Jeffrey Nuestro" <jnuestro@yahoo.com> wrote:
>
>dnagel,
>
>again thank you very much for the feedback.
>
>the two links you have provided, made available specific alternatives to
>what I had initially in mind.
>
>I will try to make full use of the following items listed from orafaq.com
>which speaks of managing passwords through profiles.
>
>PASSWORD_LIFE_TIME - limits the number of days the same password can be
used
>for authentication
>PASSWORD_REUSE_TIME - number of days before a password can be reused
>PASSWORD_REUSE_MAX - number of password changes required before the current
>password can be reused
>
>I'll apprise you guys with the result of my tests.
>
>"dnagel" <GrandNagel@hotmail.com> wrote:
>>As stated, I have alimited background with Oracle internals,
>>but to my knowledge, there are no means for using their
>>routines to 're-scramble' the password.
>>
>>have a look here...
>>
>>http://rr.sans.org/appsec/oracle.php
>>
>>this looked interesting too...
>>
>>http://www.orafaq.com/faqdbase.htm#INTERNAL
>>
>>"Jeffrey Nuestro" <jnuestro@yahoo.com> wrote in message
>>news:3c570af6$1@10.1.10.29...
>>>
>>> dnagel,
>>>
>>> thanks for the feedback.
>>>
>>> yup the user enters the new password normally (in English). i need to
>>apply
>>> oracle's encryption routine to it in order to compare it with the stored
>>> user password in oracles system tables.
>>>
>>> "dnagel" <GrandNagel@hotmail.com> wrote:
>>> >Not too experienced with encrypted passwords in Oracle...
>>> >
>>> >Are you saying that the user needs to enter an encrypted string
>>> >or the the user enters it normally and you are looking to compare
>>> >the hashed password that Oracle stores in its system tables to your
>>> >privately hashed password from the users input?
>>> >
>>> >In the latter case, I would imagine you won't have much luck.
>>> >
>>> >I'm curious... D?
>>> >
>>> >
>>> >"Jeffrey Nuestro" <jnuestro@yahoo.com> wrote in message
>>> >news:3c5620b5$1@10.1.10.29...
>>> >>
>>> >> I have an application interfacing with Oracle 7.3
>>> >>
>>> >> I need to compare the new password, inputted using the application,
>to
>>> the
>>> >> existing oracle user password which is encrypted.
>>> >>
>>> >> Is there an oracle encryption function which I can use to encrypt
the
>>> new
>>> >> password so I could compare it with the encrypted oracle user password?
>>> >>
>>> >
>>> >
>>>
>>
>>
>