Skip to Main Content
  • Questions

  • Find Existing Oracle Password Encryption

Breadcrumb

Question and Answer

Chris Saxon

Thanks for the question, Erik.

Asked: August 29, 2018 - 9:41 pm UTC

Last updated: August 30, 2018 - 3:07 pm UTC

Version: 10g

Viewed 1000+ times

You Asked

We currently run Oracle 10g. We have WebDB applications. The Webpage where users can change their passwords to access the WebDB applications no longer works.

The only access I have to modify or unlock user access is the Oracle Enterprise Management Console installed on my PC. When I modify a users password, it is stored in the sys.user$ table and the time is updated.

Since I cannot change via the web I was trying to create a new password page using PL/SQL. I do not know how to store the encrypted password using a submit function. I do not know what encryption the OEM console on my PC uses to encrypt the passwords.

Is there a place within my DB where I can find the encryption, key, etc. that the current system uses so I can replicate it.

and Chris said...

First up, you don't encrypt passwords. You hash them. The difference is hashing is a one-way operation. So there's no (easy) way to figure out what the passwords. Whereas encryption implies a decryption step, making it possible to figure out what passwords are if you have the keys. This is bad!

Secondly, you shouldn't be looking in sys.user$ and trying to replicate that. If the passwords are for database users, you can change them with:

alter user <username> identified by <password>;


And the database will handle the hashing for you.

But it's rare web applications give people database accounts. Usually the application stores user accounts in its own table. With its own way of hashing passwords.

You need to speak with your developers to figure out what this is.

Rating

  (1 rating)

Is this answer out of date? If it is, please let us know via a Comment

Comments

Erik Toups, August 30, 2018 - 9:51 pm UTC

Thank you. That is the road I will be using to enable password change.
more

Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's channel and Chris's channel from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.

More to Explore

Administration

Need more information on Administration? Check out the Administrators guide for the Oracle Database