[Previous entry: "CERT Issues Alert for Oracle"] [Next entry: "DBMS_SCHEDULER as a new alternative for DBMS_JOB by Patrick Sinke"]
Oracles default password scanner released with CPU April 2006
April 20th, 2006 by Pete
Post to del.icio.us
Post to Furl
I have just downloaded the default password scanner released with the April 2006 CPU. This is only available via metalink and is referenced in the CPU advisory. The Metalink note 361482.1 to access the tool decsribes what it is, how to download it, where to use it etc. This note then references a patch that can be downloaded that includes an SQL script and a detailed document about default passwords.
The script is a simple select statement that checks if the username exists with the known password hash for each default user. This is different to my own default password scanner as mine also includes details of the actual password. The new Oracle tool does not include the passwords.
The tool includes around 689 passwords. The big difference with this tool and mine also is that it includes a lot of PeopleSoft default accounts and also some JD Edwards accounts. I guess we both include most of the E-Business Suite ones.
The document is excellent though. It includes details of all default accounts listed in the tool and also details on how to change the passwords. This is very useful as some accounts you cannot simply change the password in the database you also need to change it in config files or elsewhere.
This is a useful tool and worth downloading. So come on Oracle make the document and the tool publically available!!! not just from Metalink.
