Database Reference
In-Depth Information
SQL> SET ECHO ON
SQL> @pwd.log
SQL> ALTER USER hr IDENTIFIED BY VALUES '2AB46277EE8215C4';
User altered.
The original password has now been restored and it is no longer possible to connect with
the temporary password “secret”.
SQL> SELECT password FROM dba_users WHERE username='HR';
PASSWORD
----------------
2AB46277EE8215C4
SQL> CONNECT hr/secret
ERROR:
ORA-01017: invalid username/password; logon denied
Warning: You are no longer connected to ORACLE.
The password hash depends on the user name, i.e., the same password used for different
users yields different password hashes. Here's an example:
SQL> CREATE USER U1 IDENTIFIED BY "Rattle And Hum";
User created.
SQL> CREATE USER U2 IDENTIFIED BY "Rattle And Hum";
User created.
SQL> SELECT username, password FROM dba_users WHERE username IN ('U1', 'U2');
USERNAME PASSWORD
------------------------------ ------------------------------
U1 07A31E4964AEAC50
U2 31019CA688540357
Locking Accounts with ALTER USER IDENTIFIED
BY VALUES
By following Oracle Corporation's recommendation to lock the accounts of internal schemas
such as CTXSYS, MDSYS, XDB, OLAPSYS, etc., you allow an attacker to find out which compo-
nents are installed and to specifically exploit vulnerabilities in these components. The error
“ORA-28000: the account is locked” tells the attacker that a certain schema does exist. You
might prefer leaving the account open, while setting an impossible password hash with ALTER
USER IDENTIFIED BY VALUES . Attempts to connect will then result in “ORA-01017: invalid username/
password; logon denied”, such that the attacker will not gain information on which user names
exist. Since it is impossible to specify a matching password for the incorrect password hash,
such an account is effectively locked, even without an expired password.
SQL> ALTER USER ctxsys IDENTIFIED BY VALUES 'LOCKED' ACCOUNT UNLOCK;
User altered.
SQL> SELECT password FROM dba_users WHERE username='CTXSYS';
PASSWORD
 
Search WWH ::




Custom Search