Database Reference
In-Depth Information
CHAPTER 15
■ ■ ■
ALTER USER
IDENTIFIED BY VALUES
A LTER USER username IDENTIFIED BY VALUES ' password_hash ' is an undocumented SQL state-
ment. It is used internally by import utilities to store a password hash, which was previously
saved with an export utility, in the data dictionary base table SYS.USER$ . In situations where a
DBA needs to connect as a certain user, but does not or must not know the password of that
user, the capability to restore a saved password hash saves time and spares the DBA from
annoyance asking around for passwords.
The IDENTIFIED BY VALUES clause may also be used along with the SQL statement CREATE
USER to create a new user account in a database. Given that the underlying password is long and
complex enough to withstand a brute force password attack, CREATE USER username IDENTIFIED
BY VALUES may be used in scripts that need to create certain database accounts without exposing
the clear text password. In this context, brute force means trying all character combinations to
guess a password, while computing the password hash for each guessed password. The process
stops when a password that matches the password hash is found. I am not aware of any utility
that performs a brute force attack on passwords with 15 or more characters. Even a small character
repertoire containing letters, digits, and an underscore—38 characters in all—allows for
4.9746E+23 passwords consisting of 15 characters. Even if hardware that could try one trillion
passwords per second should become available one day, it would still take more than 15000 years
to try all 15 character combinations. Hence such long passwords are immune to brute force
attacks.
The Password Game
Regularly, DBAs are asked to create database objects in a foreign schema or to investigate
malfunctions that manifest themselves only when working with a certain user. Often, a DBA
does not know the password to connect as a particular user. Company policy may not even
allow him to obtain the password from a colleague, or none of the colleagues on-shift know the
password. In situations like these, the DBA will often be able to complete a task much more
quickly if he or she has access to the schema involved. As a solution, the DBA can record the
password hash of the schema, change the password, connect using the changed password, and
reset the password hash. This chapter explains the approach made possible by the undocu-
mented SQL statement ALTER USER IDENTIFIED BY VALUES . Some tasks can only be accomplished
by connecting to the schema in question, rendering the approach presented here the only path
143
 
Search WWH ::




Custom Search