I have just added a new default password checking tool
to my web site. The tool is a set of SQL and PL/SQL scripts written by Marcel-Jan Krijgsman who works for Transfer Solutions
based in Holland. The tool is driven by a list of default users
. The list is part of the download included in a spreadsheet compiled by Marcel-Jan and Justin Williams. The list includes 474 known Oracle default users
and passwords. Unlike other available lists, this list also includes a description of what most of the users are used for and also a severity level based on the privileges associated with the user. The spreadsheet includes usernames, passwords and hashes of course.
This default password list is probably the biggest Oracle default password list available. How does it work? The set of scripts creates a user, a table to hold details of the default users and also then creates a simple package procedure that loops through all of the users in the database and compares them with the default users in the created table. A useful report is printed showing any default users found with known passwords and details of what the user is used for.
The script download can be found here
. The page also describes in detail the problem and also each script in the download. The page also describes how it works and shows a sample session.