I must thank my fellow DBA Franky Weber Faust for his publication in his blog.
Introduction: – We are living in the world of username and password life. We all have countless password due to technology’s development. Password plays an important role in our life. Oracle Database leads the industry in security. To maximize the security features offered by Oracle Database in any business environment, it is imperative that the database itself be well protected.

how to change the password in Oracle Database in a secure way? Studying recently for a certification exam I came across a very interesting question and that very few DBAs are aware, I would have guessed that some 95% do not know this.

What I want to show here is that if you do not use encryption in SQL Net everything that goes from the client until the server is there visible on the network, just run a sniffer on the network or just do as I did. So when you change the password of a database user using the best-known command is actually leaving your database even more vulnerable.

Let’s go to what I want to show …

Changing password via SQL * Plus in an insecure way

I will run the tcpdump command to monitor my network card:

And then change my user’s password in the database through the SQL * Plus client:

Let’s see what was written to the tcpdump.log file. I’ll show only the part that matters, because tcpdump captures all the traffic that passed through this network card. Let’s see:

Watch the danger … the command I used to change the password, including the password itself, is available to anyone who knows how to intercept it.

So I would like to introduce you to a command that few people know about and it is of great importance because it sends only the hash of the password to the database, even if you do not have Oracle Net encrypted.

Changing password via SQL * Plus securely

I will generate a new tcpdump and store the output in another log:

I raise the password via SQL * Plus again, but this time using the password command, which sends the encrypted password to the database by increasing the security of the environment a bit:

Let’s look at the generated tcpdump log file. Again I will only show the contents of the file that interests us:

Note that this time the password is not displayed.

Changing the password via SQL Developer in an insecure way (1)

“Ah Franky, but we usually change the password through SQL Developer.”

OK, let’s test the same scenario to see what happens …

Gero again tcpdump:

And I change the password:

Let’s see the tcpdump log again:

For now it’s the same as in SQL * Plus.

Changing the password via SQL Developer in an insecure way (2)
Again generate a tcpdump:

Leave a Reply