Search My Oracle Blog

Custom Search

25 May, 2008

Passwords are One Way Hashes, Not Encrypted

Here's a simple demonstration of how Oracle Database passwords are One Way Hashes, not Encrypted.

SQL> create user HEMA identified by SOMEBODY_2 ;

User created.

SQL> create user HEMASOME identified by BODY_2 ;

User created.

SQL> create user HEMASOMEBOD identified by Y_2 ;

User created.

SQL> create user HEMAS identified by OMEBODY_3 ;

User created.

SQL> select username, password from dba_users
2 where
3 (username != 'HEMANT')
4 and
5 (
6 (username like 'HEMA%')
7 )
8 order by username;

------------------------------ ------------------------------


The "password" that is stored in DBA_USERS is actually a Hash of
the Username + Password (with an Oracle secret "magic" salt).
Thus, since "HEMA" + "SOMEBODY_2" is the same as "HEMASOME" + "BODY_2" and also "HEMASOMEBOD" + "Y_2" (in all cases it is "HEMASOMEBODY_2" !), the so-called password visible in DBA_USERS is the same for all three database accounts.

However, for the account "HEMAS" since the concatenation of the username with the password results in a different string "HEMASOMEBODY_3" (only the last character is different !), the resulting "Hash" is obviously quite different and so is the "password" in DBA_USERS !

When a user enters his Username and Password, Oracle does not attempt any encryption of the password for comparision with the stored password or decryption of the stored password with the user-supplied password. It simply computes the Hash value for Username+Password and compares that with the stored Hash value.

That is how users with very different usernames and passwords can seemingly have the "same" password stored in DBA_USERS -- it is not really a password but a Hash.

No comments:

Aggregated by

Aggregated by
This blog is being aggregated by

Top 50 Oracle SQL Blogs 2016

Top 50 Oracle SQL Blogs 2016
Top 50 Oracle SQL Blogs 2016