Call: +44 (0)7759 277220 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Amis blog - Script to clear out a users schema"] [Next entry: "Patch set for Win32 is causing debate"]

A new Oracle default password checking tool is available

I have just added a new default password checking tool to my web site. The tool is a set of SQL and PL/SQL scripts written by Marcel-Jan Krijgsman who works for Transfer Solutions based in Holland. The tool is driven by a list of default users. The list is part of the download included in a spreadsheet compiled by Marcel-Jan and Justin Williams. The list includes 474 known Oracle default users and passwords. Unlike other available lists, this list also includes a description of what most of the users are used for and also a severity level based on the privileges associated with the user. The spreadsheet includes usernames, passwords and hashes of course.

This default password list is probably the biggest Oracle default password list available. How does it work? The set of scripts creates a user, a table to hold details of the default users and also then creates a simple package procedure that loops through all of the users in the database and compares them with the default users in the created table. A useful report is printed showing any default users found with known passwords and details of what the user is used for.

The script download can be found here. The page also describes in detail the problem and also each script in the download. The page also describes how it works and shows a sample session.