SQL>
SQL> create user HEMA identified by SOMEBODY_2 ;
User created.
SQL> create user HEMASOME identified by BODY_2 ;
User created.
SQL> create user HEMASOMEBOD identified by Y_2 ;
User created.
SQL>
SQL> create user HEMAS identified by OMEBODY_3 ;
User created.
SQL>
SQL> select username, password from dba_users
2 where
3 (username != 'HEMANT')
4 and
5 (
6 (username like 'HEMA%')
7 )
8 order by username;
USERNAME PASSWORD
------------------------------ ------------------------------
HEMA 8E8C633A6DAEC8E4
HEMAS 9DB550C5CAA21E55
HEMASOME 8E8C633A6DAEC8E4
HEMASOMEBOD 8E8C633A6DAEC8E4
SQL>
The "password" that is stored in DBA_USERS is actually a Hash of
the Username + Password (with an Oracle secret "magic" salt).
Thus, since "HEMA" + "SOMEBODY_2" is the same as "HEMASOME" + "BODY_2" and also "HEMASOMEBOD" + "Y_2" (in all cases it is "HEMASOMEBODY_2" !), the so-called password visible in DBA_USERS is the same for all three database accounts.
However, for the account "HEMAS" since the concatenation of the username with the password results in a different string "HEMASOMEBODY_3" (only the last character is different !), the resulting "Hash" is obviously quite different and so is the "password" in DBA_USERS !
When a user enters his Username and Password, Oracle does not attempt any encryption of the password for comparision with the stored password or decryption of the stored password with the user-supplied password. It simply computes the Hash value for Username+Password and compares that with the stored Hash value.
That is how users with very different usernames and passwords can seemingly have the "same" password stored in DBA_USERS -- it is not really a password but a Hash.
No comments:
Post a Comment