Learn Oracle password
In this excellent summary of Oracle passwords we see an outstanding
overview of Oracle password management:
The most frightening part of this Oracle password summary is the
section on brute-force attacks and the value of insisting on long
passwords and turning-on password disabling:
Oracle brute force attacks / Decryption
It is not possible to decrypt the hashstring but without salt it
is possible to do a brute force attack. There are several Oracle
brute force tools available. The tools encrypt the username/password
and compare the hashkey.
If they are identical you know the password. From simple SQL
based tools (300 pw/second) up to special C programs. The fastest
tool calculates 700.000 passwords/second. On a Pentium 4 with 3 GHz
- 17 seconds to calculate all 5-character-combinations
- 7 minutes to calculate all 6-character-combinations
- 3 hours to calculate all 7-character-combinations
The best section in this page is the technique used by Oracle DBA’s
to temporarily sign-on as a user while retaining their encrypted
How to change an Oracle password temporarily?
In Oracle it is possible to change a password temporarily. This can
be useful for DBA which act as a different user.
SQL> select username,password from
dba_users where username='SCOTT';USERNAME PASSWORD--------
SQL> alter user scott identified by
Now login with the following credentials: scott/tiger
After doing your work you can change the password back by using an
undocumented feature called "by values"
SQL> alter user scott identified by values
For a more-detailed review of Oracle password management techniques,
they have also published a nice presentation on “hardening” the
password security on PC’s that access Oracle: