validate password within PL/SQL?

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • arktikturtle@correct_the_spelling.yahoo.com
    #1

    validate password within PL/SQL?

    Hi! I'm looking for a way to validate a password within PL/SQL. I want to
    write

    CREATE PROCEDURE change_password (old_password IN VARCHAR2)
    IS
    BEGIN
    -- check if old_password is correct... but how?

    I can get the hashed value of the password from DBA_USERS, of course, but is
    there a way to hash old_password to see if it matches? (I wouldn't be
    surprised if Oracle doesn't supply access to its one-way password hashing
    algorithm... too useful for a password cracker...)

    I can't actually try a CONNECT statement from within PL/SQL, right? And even
    if I could, that would kill my current connection, right? That's no good...

    Of course, because the user logged in successfully, they obviously had the
    correct password at one point. But what if they logged in, left their desk,
    and now somebody else is trying to change their password? Limiting idle_time
    in the user's profile reduces the risk of this, but it's also really
    annoying, especially if the time is short enough to protect every stroll to
    the coffeepot.

    The PASSWORD command in SQL*Plus prompts for old password, but I'm trying to
    put this in a procedure that can be called from a GUI.

    OK, here's an idea! I can create a dummy user identified by the supplied
    old_password, then SELECT PASSWORD FROM DBA_USERS to see if the hashed
    password of the dummy user matches the hashed password of the application
    user... nope, didn't work! Apparently the algorithm doesn't have a simple 1
    clear-text-password: 1 hashed-password mapping; each username/password
    combination gets a different result.

    As you can see, I'm running out of ideas. Can anyone help?

    Thanks very much!
    - Catherine
    Yahoo Creators: A community of creative voices
    http://profiles.yahoo.com/arcticturtle
    Discover fresh takes and fun ideas from a vibrant community of makers, doers, travelers, thinkers — creators. Explore expert parenting advice, tried-and-true recipes, travel hacks, style trends, home DIY projects and more.



    ----- Posted via NewsOne.Net: Free (anonymous) Usenet News via the Web -----
    http://newsone.net/ -- Free reading and anonymous posting to 60,000+ groups
    NewsOne.Net prohibits users from posting spam. If this or other posts
    made through NewsOne.Net violate posting guidelines, email abuse@newsone.n et
    Tags: None
    • FaheemRao
      #2
      Re: validate password within PL/SQL?

      I may not be able to help you excatly what are u trying to do , but
      here is one tip .may it help you.
      For example
      if you get the hashed values of a passward say "ABC" and hashed
      values is say "qwer" now you change the psswrd ABC to "def".
      Now do this

      alter user test identified by 'qwer' .

      now the passward is again ABC
      ;)


      Faheem

      arktikturtle@co rrectthe_spelli ng.yahoo.com wrote in message news:<brdc6p$vl r$1@news.netmar .com>...
      Hi! I'm looking for a way to validate a password within PL/SQL. I want to
      write
      >
      CREATE PROCEDURE change_password (old_password IN VARCHAR2)
      IS
      BEGIN
      -- check if old_password is correct... but how?
      >
      I can get the hashed value of the password from DBA_USERS, of course, but is
      there a way to hash old_password to see if it matches? (I wouldn't be
      surprised if Oracle doesn't supply access to its one-way password hashing
      algorithm... too useful for a password cracker...)
      >
      I can't actually try a CONNECT statement from within PL/SQL, right? And even
      if I could, that would kill my current connection, right? That's no good...
      >
      Of course, because the user logged in successfully, they obviously had the
      correct password at one point. But what if they logged in, left their desk,
      and now somebody else is trying to change their password? Limiting idle_time
      in the user's profile reduces the risk of this, but it's also really
      annoying, especially if the time is short enough to protect every stroll to
      the coffeepot.
      >
      The PASSWORD command in SQL*Plus prompts for old password, but I'm trying to
      put this in a procedure that can be called from a GUI.
      >
      OK, here's an idea! I can create a dummy user identified by the supplied
      old_password, then SELECT PASSWORD FROM DBA_USERS to see if the hashed
      password of the dummy user matches the hashed password of the application
      user... nope, didn't work! Apparently the algorithm doesn't have a simple 1
      clear-text-password: 1 hashed-password mapping; each username/password
      combination gets a different result.
      >
      As you can see, I'm running out of ideas. Can anyone help?
      >
      Thanks very much!
      - Catherine
      Yahoo Creators: A community of creative voices
      http://profiles.yahoo.com/arcticturtle
      Discover fresh takes and fun ideas from a vibrant community of makers, doers, travelers, thinkers — creators. Explore expert parenting advice, tried-and-true recipes, travel hacks, style trends, home DIY projects and more.

      >
      >
      ----- Posted via NewsOne.Net: Free (anonymous) Usenet News via the Web -----
      http://newsone.net/ -- Free reading and anonymous posting to 60,000+ groups
      NewsOne.Net prohibits users from posting spam. If this or other posts
      made through NewsOne.Net violate posting guidelines, email abuse@newsone.n et

        Comment

        • Justin Cave
          #3
          Re: validate password within PL/SQL?

          arktikturtle@co rrect_the_spell ing.yahoo.com wrote in message news:<brdc6p$vl r$1@news.netmar .com>...
          Hi! I'm looking for a way to validate a password within PL/SQL. I want to
          write
          >
          CREATE PROCEDURE change_password (old_password IN VARCHAR2)
          IS
          BEGIN
          -- check if old_password is correct... but how?
          The easiest way I could envision doing something like this would be to
          create a Java stored procedure that attempted to connect with the
          supplied username & password.
          OK, here's an idea! I can create a dummy user identified by the supplied
          old_password, then SELECT PASSWORD FROM DBA_USERS to see if the hashed
          password of the dummy user matches the hashed password of the application
          user... nope, didn't work! Apparently the algorithm doesn't have a simple 1
          clear-text-password: 1 hashed-password mapping; each username/password
          combination gets a different result.
          I'd strongly suspect that the hash takes into account at least the
          username & the machine the database is on. It would be really
          unfortunate if I could take information from DBA_USERS on the
          production machine, copy it over to my laptop, and start cracking
          passwords. Not incorporating username & machine information into the
          hash's salt would allow this sort of thing, so I'm pretty darn certain
          Oracle doesn't allow it.

          Justin Cave
          Distributed Database Consulting, Inc.
          https://www.ddbcinc.com/askDDBC

            Comment

            • Frank
              #4
              Re: validate password within PL/SQL?

              arktikturtle@co rrect_the_spell ing.yahoo.com wrote:
              Hi! I'm looking for a way to validate a password within PL/SQL. I want to
              write
              >
              CREATE PROCEDURE change_password (old_password IN VARCHAR2)
              IS
              BEGIN
              -- check if old_password is correct... but how?
              >
              I can get the hashed value of the password from DBA_USERS, of course, but is
              there a way to hash old_password to see if it matches? (I wouldn't be
              surprised if Oracle doesn't supply access to its one-way password hashing
              algorithm... too useful for a password cracker...)
              >
              I can't actually try a CONNECT statement from within PL/SQL, right? And even
              if I could, that would kill my current connection, right? That's no good...
              >
              Of course, because the user logged in successfully, they obviously had the
              correct password at one point. But what if they logged in, left their desk,
              and now somebody else is trying to change their password? Limiting idle_time
              in the user's profile reduces the risk of this, but it's also really
              annoying, especially if the time is short enough to protect every stroll to
              the coffeepot.
              >
              The PASSWORD command in SQL*Plus prompts for old password, but I'm trying to
              put this in a procedure that can be called from a GUI.
              >
              OK, here's an idea! I can create a dummy user identified by the supplied
              old_password, then SELECT PASSWORD FROM DBA_USERS to see if the hashed
              password of the dummy user matches the hashed password of the application
              user... nope, didn't work! Apparently the algorithm doesn't have a simple 1
              clear-text-password: 1 hashed-password mapping; each username/password
              combination gets a different result.
              >
              As you can see, I'm running out of ideas. Can anyone help?
              >
              Thanks very much!
              - Catherine
              Yahoo Creators: A community of creative voices
              http://profiles.yahoo.com/arcticturtle
              Discover fresh takes and fun ideas from a vibrant community of makers, doers, travelers, thinkers — creators. Explore expert parenting advice, tried-and-true recipes, travel hacks, style trends, home DIY projects and more.

              >
              >
              ----- Posted via NewsOne.Net: Free (anonymous) Usenet News via the Web -----
              http://newsone.net/ -- Free reading and anonymous posting to 60,000+ groups
              NewsOne.Net prohibits users from posting spam. If this or other posts
              made through NewsOne.Net violate posting guidelines, email abuse@newsone.n et
              There may be no need for it; any user is allowed to change his
              own password with "alter user <current_userid entified by <new_password >"

              SQLcreate user demo identified by demo default tablespace users;
              User created.

              SQLgrant create session to demo;
              Grant succeeded.

              SQLconnect demo/demo@o920
              Connected.

              SQLalter user demo identified by nemo;
              User altered.

              SQLconnect demo/nemo@o920
              Connected.

              So, create your procedure with invoker's rights and
              change the password - as you mention, the user is
              logged on, so has to know his/her password.

              The obvious risk is someone else is actually changing
              the password, while the user strolled off, leaving the
              application open.
              I'll leave it to you to shoot those endusers ;-)
              --
              Regards, Frank van Bortel

                Comment

                Previous template Next
                Working...