Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
There are 74 visitors online    
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Pete Finnigan's Oracle security weblog


Home » Archives » November 2004 » 600 Oracle default usernames/passwords available

[Previous entry: "Frank Nimphius has an entry about Bruce Schneier in his web log"] [Next entry: "Interesting post about PUBLIC privileges in 9.2.0.6"]

600 Oracle default usernames/passwords available

November 16th, 2004 by Pete


I have just added a page to my site that lists 596 default Oracle users and their passwords. The list is available as HTML, CSV, SQL insert statements to load the data into a table, MS Excel spreadsheet and Open Office spreadsheet. The list can be used to audit your database for existing default accounts and to check that their passwords are not still the default values.

I have also updated the default password check script archive that I talked about recently and released on my web site to include the much bigger list of default users. I also fixed the table definition so that invalid passwords that have been set can be stored and checked. This is done when a password is set by the ALTER USER {BLAH} IDENTIFIED BY VALUES 'INVALID_PASSWORD' syntax. In this case there can never be a valid password but we can still test the hash value stored to see if itís the default value. I have also updated the check script zip file to include a new spreadsheet that has been updated as above and also I include a new SQL data insert script to allow the check tool to be used to test the complete list of default accounts against your databases. The list also includes where itís available a description of what the default accounts are used for.

I have actually created the list in an Oracle database so that it can be easily updated. I have also created some simple PL/SQL scripts that will re-create the SQL, CSV, HTML and spreadsheets with a little manual cleaning up afterwards. I plan to move the table to mysql and use perl to generate the files so that the whole thing can live on my site. I also plan to be able to update and add new default users and hashes via a web interface and possibly add searching of the list to make it easier for people to find details on default user accounts.

Again the list is available here and the check scripts here.

November 2004
SMTWTFS
 123456
78910111213
14151617181920
21222324252627
282930    

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Weblog Home
Weblog Archives


Home
Oracle Security Tools page
Oracle security papers
Oracle Security alerts

Web Development
SQL Server Security

RSS 1.0 FEED
RSS 2.0 FEED
Atom 0.3 FEED
Powered by gm-rss 2.0.0


Valid XHTML 1.0!