Overview#

Oracle Passwords in Databases

Oracle case-insensitive passwords#

Oracle case-insensitive passwords were used prior to 11g.

Oracle case-insensitive passwords#

The case-insensitive hash is actually NOT a hash but an encrypted username/password combination, which becomes a one-way hash by encrypting the result of the first run (after removing some bytes) again.

Oracle case-insensitive passwords are encrypted using a proprietary Protocol Data Encryption Standard (DES).

The Oracle case-insensitive password were used following 11g release 1 and are a 10-byte salt SHA-1 hash of only the password.

As of 11g Release 1 the database uses case-sensitive passwords as a standard. It is possible however to disable this new functionality by changing an initialization parameter.

Password Value Access#

Password values are accessible using either:

• 10g Release 2 (and previous versions) get 10g password hashes: SELECT username, password FROM dba_users WHERE username='<username>';
• 11g Release 1 (and later versions) get both 10g and 11g password hashes: SELECT name, password, spare4 FROM sys.user$ WHERE name='<username>';

Appears the password is the older hash and the newer is the spare4.

TAGS: passwords Oracle

More Information#

There might be more information for this subject on one of the following: ...nobody