Oracle password reset

You can find original user password in table USER$. Because of security improvements it is not exposed in DBA_USERS view anymore since version 10G. Moreover password is hashed so once set you are not able to know original value. Access to USER$ is as well very restricted.

CREATE USER tomasz IDENTIFIED BY dbaora;

SELECT name, password
FROM sys.user$
WHERE NAME='TOMASZ';

NAME    PASSWORD
------- -------------------
TOMASZ  062AB3D111CBAC0F   

SELECT username, password
FROM dba_users
WHERE username='TOMASZ';

USERNAME  PASSWORD
--------- ----------------
TOMASZ

There are two simple method to change password for a user in Oracle database.

ALTER USER tomasz IDENTIFIED BY newpass;

SELECT name, password
FROM sys.user$
WHERE NAME='TOMASZ';

NAME    PASSWORD
------- -------------------
TOMASZ  C3ED4B8DAA60D1FD

another option is to use hash value. Notice I have used old hash value here. So I can connect using old password.

ALTER USER tomasz IDENTIFIED BY VALUES '062AB3D111CBAC0F';

sqlplus> CONNECT tomasz/dbaora

It’s quite popular method to login as another user make some modifications/installations and restore original password. The password can be set as well on another database using hash value to sync passwords between databases.

--save password 062AB3D111CBAC0F
sqlplus>ALTER USER tomasz IDENTIFIED BY hacker;

--login to user tomasz and do some modifications/installations
sqlplus>CONNECT tomasz/hacker

--restore original password
sqlplus>connect / as sysdba
sqlplus>ALTER USER tomasz IDENTIFIED BY VALUE '062AB3D111CBAC0F';

Any user in database can change own password but to change password for other users you need dedicated system privilege ALTER USER.

Have a fun 🙂

Tomasz

 

Leave a Reply

Your email address will not be published. Required fields are marked *