and if you hide all_users, I'll just select distinct owner from all_objects. Take away all_objects and I'll just use
ops$tkyte%ORA11GR1> select table_name from all_tab_columns where column_name = 'OWNER' and table_name like 'ALL\_%' escape '\';
TABLE_NAME
------------------------------
ALL_SDO_MAPS
ALL_SDO_GEOM_METADATA
ALL_SDO_THEMES
...
ALL_LOG_GROUP_COLUMNS
ALL_PLSQL_OBJECT_SETTINGS
ALL_CUBE_VIEWS
243 rows selected.
mdsys is well known, I don't really need all_users. I wouldn't even bother to look to see if it where there to try and access it.
And beside, if you try the default password and it works - all_users or not - the dba hasn't done the most basic of things (lock down the accounts).
Meaning - using any of the usual accounts with the tag line "A malicious user could easily say, “Oh look,
the <insert option name or your application here> is installed. Let me use the
default password and try to access this privileged account.” " doesn't make you look very good - does it? I mean, who in their right mind would go production with something like that.
And access to all_users wouldn't prevent anyone from trying anyway. I never look to see if CTXSYS exists before trying to log on as CTXSYS, I just do it.