I tested this intersting case and found password in Oracle stores information about user also.
Lets see this: -
Create 2 users with same passwords
SQL> create user sac2 identified by arora;
User created.
SQL> create user sac3 identified by arora;
User created.
And see this. Passwords are different!
SQL> select username,password from dba_users where username in ('SAC2','SAC3');
USERNAME PASSWORD
------------------------------ ------------------------------
SAC3 14B4A488EC66A22B
SAC2 BF07E5BFF7A43D66
Now lets try changing the password of SAC2 with the password of SAC3.
SQL>
SQL> alter user sac2 identified by values '14B4A488EC66A22B';
User altered.
Finally, lets try connecting
SQL> connect sac2/arora
ERROR:
ORA-01017: invalid username/password; logon denied
It fails ..
Now create another user in a different database by the name SAC2:
SQL-DB2> create user sac2 identified by arora;
User created.
SQL-DB2> select username,password from dba_users where username='SAC2';
USERNAME PASSWORD
------------------------------ ------------------------------
SAC2 BF07E5BFF7A43D66
The password matches with the password of SAC2 of first database
Conclusion:
Oracle doesnot store same passwords alike.It uses a combination of username and password. But the trick to hack the password is still unknown to me.
No comments:
Post a Comment