Oracle DBMS - Don't Let Hackers Figure Out Passwords From Their Hash Values

Your database is in deep trouble if a hacker can simply reconstruct the passwords based on their hash values. That's why you should read Joshua Wright and Carlo Cid's October 2005 paper “An Assessment of the Oracle Password Hashing Algorithm,” which they presented at the SANS Network Security 2005 conference.

This paper details weaknesses and vulnerabilities in Oracle's hashing algorithm for storing database user passwords. It also describes what you can do to guard your database's password values. On Metalink (, you can read a note where Oracle responds to the issues the paper raises.

To learn about weaknesses in Oracle database password hashing algorithms and find out what you can do to prevent the compromising of your databases:

Here's a summary of Oracle's recommendations and other actions you should take right away to protect your database:

  1. Force password complexity using a password verification function and profiles.
  2. Require users to change passwords regularly via profile limits.
  3. Limit access to dictionary tables that display password hash values, such as SYS.USER$ and SYS.USER_HISTORY$.
  4. Consider Oracle's Advanced Security Option or tunneling software for Oracle Net traffic encryption.
  5. Limit privileges for application server accounts.
  6. Turn on auditing for access to the DBA_USERS view.
  7. Consider Oracle's Advanced Security Option for alternative user authentication.

Go back