Skip to content
Advertisements

Oracle impossible passwords, why?

When you configuring the password for a user in database, it automatically calculating the password hash normally or bypassing the hash process and writing a value to the PASSWORD column of sys.user$.

Just a exmple :

SQL> create user imppassword identified by imppassword;

User created.

SQL> select name,password from sys.user$ where name='IMPPASSWORD';

NAME                           PASSWORD

------------------------------ ------------------------------

IMPPASSWORD                    27D780816A86DC5C

When this user provides their credentials to Oracle to log in, Oracle will take the credentials, create the password hash, and then compare it with the value stored in SYS.USER$, find a match, and allow the user to connect.

SQL> grant connect,resource to imppassword;

Grant succeeded.

SQL> conn imppassword/imppassword;

Connected.

If we created the user and explicitly set the password value, things would be different.

SQL> create user password identified by values 'password';

User created.

SQL> grant connect,resource to password;

Grant succeeded.

SQL> select name,password from sys.user$ where name = 'PASSWORD';

NAME                           PASSWORD

------------------------------ ------------------------------

PASSWORD                       password

This time the value stored is the text string PASSWORD.This is an impossible password, because regardless of the input, the Oracle password hashing algorithm could never produce output that matches. Now you can not able to log in this user. Its called impossible password.

Why it need for implement?

If you would like to lock the user account, The attacker tries to login the these user account it shows the user account is locked , they may get a good information from this error.  Locking default accounts tells an attacker what schemas and therefore what features are installed on a given database.This allows them to create a plan of attack before they ever penetrate the database, building a list of potential exploits with the benefit of knowing which potentially vulnerable features are installed.

SQL> conn scott/tiger

ERROR: ORA-28000: the account is locked

Warning: You are no longer connected to '

ORACLE. SQL>

Furthermore, the attacker now knows the password for each account is set to the default value! Setting an impossible password and unlocking the accounts prevents an attacker from logging in, but also provides no information about the existence of each account/schema or their password.

SQL> conn password/password

ERROR: ORA-01017: invalid username/password; logon denied

Warning: You are no longer connected to ORACLE.

With impossible passwords, an attacker gets no information from an attempt to log in to the database with each default account and password. Less information is always better and it’s our responsibility to make a hacker’s job as difficult as possible.

Advertisements
9 Comments Post a comment
  1. Congratulation Azar, good explanation!

    February 27, 2012
  2. Excellent article Mohamed.
    I’ve never used this method to lock accounts. Nice way to confuse attacker.

    Regards,
    Marko

    February 28, 2012
  3. really excellent azar. u’r are helping alot..

    March 13, 2012
  4. abdul #

    hello azar,but u havn’t tel how dba to login in password/password account

    March 20, 2012
  5. pallave #

    hi azar,
    i have an error in rman while i’m running the rman command in linux.
    rman: error in while loading shared libraries:libclntsh.so.10.1: cannot open the shared object file:no such a file are directory.

    can u plz tell why this error is showing and to slove.

    March 31, 2012
  6. Rodrigo Fonseca Lopes #

    User = SYS
    PassWord = ‘impossible’

    conn / as sysdba
    ….works

    May 29, 2015
  7. David Snyder #

    Oracle seems to have broken this so you can’t set your password to non-hex values in 12.1.0.2. Is there a viable alternative for their new scheme?

    September 25, 2015

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: