While discovering the internets new trend StumbleUpon after reading Eddie Awads last entry I found a nice site Red Database Security about Oracle Security. The whitepaper about passwords has useful paragraphs for Oracle DBAs.
Here is a sample paragraph about changing a users password temporarily without knowing the original passwords by using the undocumented feature called “by values” of alter user command. Suppose you want to login as user HR but you don’t know its password and you can’t change it all you have to do is backing up the hash key of password from dba_users table. Lets look how ;
From session 1; –backup the hash key and change the password
|idle> connect / as sysdbaConnected.sys@XE> select username,password from dba_users where username=’HR’;
sys@XE> alter user hr identified by passwd;
From Session 2; try to logon with old password
|idle> connect hr/hr
ERROR:ORA-01017: invalid username/password;logon denied
Warning: You are no longer connected to ORACLE.
From session 1; –login with temporary passsword do your job and change back it
|idle> connect hr/passwd;Connected.hr@XE>…..
–do you job
hr@XE>connect / as sysdba
From Session 2; –vadaaaaaaa old password is still working
|idle> connect hr/hr;
Because it is undocumented try this carefully !!!