2011-10-26

11G password in DBA_USERS

User Passwords Are No Longer Visible In DBA_USERS As Of 11g [ID 735651.1]


Applies to:

Oracle Server - Enterprise Edition - Version: 11.1.0.6 and later   [Release: 11.1 and later ]
Information in this document applies to any platform.
Checked for relevance on 30-Aug-2011

Goal

Why user's (hashed) password is no longer visible in DBA_USERS?


Solution

In 11g, the PASSWORD column of the DBA_USERS view will no longer display the password hash.

The change to DBA_USERS is the result of a security enhancement, it was no longed deemed appropriate to show the password hashes in the DBA_USERS view as it may cause undesired exposure when access to this view is needed by 'unprivileged' users. This feature coincides with the introduction of the new hash algorithm, which is stored differently as compared to the visible hash in earlier releases anyway.

The old style hash is still stored in USER$.PASSWORD column, the new SHA-1 hash is in USER$.SPARE4, but none of them is exposed in DBA_USERS for security reasons.

The lack of a visible hash in DBA_USERS does not mean the user is externally authenticated. If a user is externally authenticated, this is explicitly indicated in the PASSWORD column by the value "EXTERNAL".

A documentation bug was opened, as the 11g documentation had not been updated to reflect the new

Niciun comentariu:

Trimiteți un comentariu