Overview#
Oracle Passwords in
Databases
Oracle case-insensitive passwords were used prior to 11g.
The
case-insensitive hash is actually
NOT a hash but an
encrypted username/
password combination, which becomes a one-way
hash by encrypting the result of the first run (after removing some
bytes) again.
Oracle case-insensitive passwords are encrypted using a proprietary Protocol Data Encryption Standard (DES).
The Oracle case-insensitive password were used following 11g release 1 and are a 10-byte salt SHA-1 hash of only the password.
As of 11g Release 1 the database uses case-sensitive passwords as a standard. It is possible however to disable this new functionality by changing an initialization parameter.
Password values are accessible using either:
- 10g Release 2 (and previous versions) get 10g password hashes: SELECT username, password FROM dba_users WHERE username='<username>';
- 11g Release 1 (and later versions) get both 10g and 11g password hashes: SELECT name, password, spare4 FROM sys.user$ WHERE name='<username>';
Appears the
password is the older
hash and the newer is the spare4.
TAGS: passwords Oracle
There might be more information for this subject on one of the following:
...nobody