New Versions But Old Vices

In today’s post I want to talk about passwords in Oracle, from very old versions, it is very easy to “catch” password changes using a sniffer. The recommendation of Oracle and that is given in many forums is to use the password command from sqlplus instead of executing an alter user. Currently the client should be smarter or at least give the option to encrypt this type of statements sql (alter)

Let’s go see an example. We connect using client 18 to a RDBMS 12.1 with user scott


Now we change he pass with alter user command like show below;

SQL> alter user scott identified by scott1234;

Using a sniffer (in this test Microsoft Message Analyzer) we can see the payload for tcp trame between my lagtop and the server in clear text;


Now using the password command from sqlplus. Show the tcp trame captured by the sniffer. Here you can not see  the text in clear;


How to minimize the risk

– First of all do not use “alter user”
– Use encrypted communications between the client and the database server (the Oracle native or a VPN), now from what I see, in this version (18) Oracle still does not protect the memory areas, the encryption in the The communications channel is partially distorted if there is access to the memory of the client computer. Windows DPAPI already implements in a fairly acceptable way memory encryption via CryptProtectMemory / ProtectedMemory




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s