25 May, 2008

Passwords are One Way Hashes, Not Encrypted

Here's a simple demonstration of how Oracle Database passwords are One Way Hashes, not Encrypted.


SQL>
SQL> create user HEMA identified by SOMEBODY_2 ;

User created.

SQL> create user HEMASOME identified by BODY_2 ;

User created.

SQL> create user HEMASOMEBOD identified by Y_2 ;

User created.

SQL>
SQL> create user HEMAS identified by OMEBODY_3 ;

User created.

SQL>
SQL> select username, password from dba_users
2 where
3 (username != 'HEMANT')
4 and
5 (
6 (username like 'HEMA%')
7 )
8 order by username;

USERNAME PASSWORD
------------------------------ ------------------------------
HEMA 8E8C633A6DAEC8E4
HEMAS 9DB550C5CAA21E55
HEMASOME 8E8C633A6DAEC8E4
HEMASOMEBOD 8E8C633A6DAEC8E4

SQL>


The "password" that is stored in DBA_USERS is actually a Hash of
the Username + Password (with an Oracle secret "magic" salt).
Thus, since "HEMA" + "SOMEBODY_2" is the same as "HEMASOME" + "BODY_2" and also "HEMASOMEBOD" + "Y_2" (in all cases it is "HEMASOMEBODY_2" !), the so-called password visible in DBA_USERS is the same for all three database accounts.

However, for the account "HEMAS" since the concatenation of the username with the password results in a different string "HEMASOMEBODY_3" (only the last character is different !), the resulting "Hash" is obviously quite different and so is the "password" in DBA_USERS !

When a user enters his Username and Password, Oracle does not attempt any encryption of the password for comparision with the stored password or decryption of the stored password with the user-supplied password. It simply computes the Hash value for Username+Password and compares that with the stored Hash value.

That is how users with very different usernames and passwords can seemingly have the "same" password stored in DBA_USERS -- it is not really a password but a Hash.

No comments: