Oracle Default Password List
This page is the home for the Oracle default password list that we have collated. The list can also be thought of as a list of Oracle default password hashes.
- What are default Oracle users and default Oracle passwords?
- Why are they created?
- What are the sources of these accounts - where did I find them?
- What is the issue?
- Is the problem getting better?
- What can be done?
They are simply database accounts created when the database itself is created or later during the life of the database.
Oracle default accounts can be created for many different reasons. They are created by Oracle itself when the database is created. For instance the accounts SYS and SYSTEM, DBSNMP and OUTLN are often created by default when a database is created. If the database is created by using the wizard the problem can be much bigger with 10s 0r 20s of accounts being created simply as part of the database creation. Further default accounts can be created after the initial database creation by running scripts that live in the $ORACLE_HOME/rdbms/admin or other directories. These scripts can be run to add an additional feature or function or to add example code to the database (You never do this is production do you?). Further Oracle default users can be created when third party software is installed for use such as BAAN or SAP. The same issues of default users being added to the database can occur when third party development or maintenance tools are added such as TOAD or PL/SQL Developer. Problems can also occur when employees run examples from books, or documentation (official and non-official), books or web sites.
OK, so this page includes a big list of Oracle default users, passwords and hashes, it's probably the biggest such source on the net but how did we create it? This is simple and hard at the same time. Its simple because there are various sources to get these users from on the Internet or in books or documentation but its also quite a large task to collate them all. I have collected default Oracle usernames and passwords from a lot of web sites on the Internet and also from books, documentation, the Oracle software for a lot of versions and platforms (There are differences even between platforms with what accounts are included) and also from people who have emailed me details of their findings. He list this time started with Justin Williams spreadsheet. This includes users and passwords from many sources. Marcel-Jan Krijgsman then enhanced this spreadsheet and then I further enhanced it from lots of sources.
This is a good question and one often overlooked by companies using Oracle as I almost always find default Oracle accounts with their well known default passwords in almost every database I have audited. This means that these databases have failed the simplest of security measures. They have allowed an account to exists whereby an attacker (This could be a hacker, business spy or even an employee, good or bad) can guess an account name and password and gain access. Quite often these default accounts also have critical SYSTEM PRIVILEGES so making the matter worse.
In general I would say NO. There are a number of reasons to come to this conclusion. Whilst it is true that Oracle have made efforts to reduce the problem by making the installer more intelligent and allowing customers to choose whether to install examples and the like the fact is default accounts are still installed by default. Oracle have also made efforts to lock and expire the passwords on most of the accounts and they also now will not let you choose the standard passwords for SYS and SYSTEM. But there are still 14 default accounts that can be created in 10g with known passwords and the accounts are not locked. The problem also is that the number of possible default accounts grows with each version of Oracle. Also other manufacturers are not innocent and add their own often with DBA privileges. The final fact that I have collated together a list of about 600 Oracle default users and passwords means that the problem must be getting bigger, 3 years ago a typical list might have included 50 to 100 default users.
Help is at hand. The lists of Oracle default passwords made available here can only help users of Oracle to check their databases for these accounts and to make sure that they do not have this problem. The Oracle default password checker available from this site can be used to simply test your databases. If you find default accounts with default passwords, then do two things. First decide if the account can be removed. It should be possible in almost all cases. If it can remove it. If not change the password, lock and expire the account and audit access to them. Also use the password management features particularly on default accounts.
The following list of people have helped me create this list of passwords:
- Justin Williams
- Marcel-Jan Krijgsman
- Jared Still
- Dik Pater from atosorigin.com
If you know of any default users that we have missed or can help provide any of the missing default password hashes then please do not hesitate to let me know. You can email me at firstname.lastname@example.org in the first instance.
This is a brief change history for this set of scripts:
- 1.0 - First release
- 1.1 - Changes to SAP users
- a - changed note for SAP schema owner to be SAPR3
- b - Added note to SAP users and DDIC users to state they are SAP R/3 application users.
- c - Added separate page for SAP user explanations.
- 1.4 - Updated the Excel spreadsheet and data install script for the SAP users.
- 1.5 - Corrections and additions to the list
- a - updated 21 default accounts to remove trailing spaces in the data creation scripts
- b - added 2 new default users to the data scripts and spreadsheets
SAP user accounts
Three of the users listed in the Original default password list are actually SAP application users. Follow this link to find out more details about these SAP users.
Download the Oracle default password lists
The default password list has been provided in a few different formats for your use. If you need to have a different format and its useful for others then i may be able to provide it here. Please let me known at the same email address as above.
Each of the files includes the same data and basically the same structure (I should say that this structure is implicit from Marcel-Jan's spreadsheet and tool. There are 6 fields in each line of data as follows:
- Product : The name of the product the username and password belongs to. e.g. 'Oracle'
- security_level : The perceived level of threat the account represents. 1 being the biggest threat.
- username : The default accounts username
- password : The password, if known. If the password has the value
then in general there is also a hash value. This can still be used to check if the account has the default password but in this case we simply do not know the password. In some cases we know the default account exists and we know neither the password or the hash value. In these cases we cannot check the password but you can determine if the account exists and change the password anyway for security. It is still a risk though to retain this password in production. If the password field contains then the password that is included in the HASH_VALUE field is an invalid password. This means it has been deliberately set to a value that can never be created by the password hashing algorithm. In these cases a password never exists that can be used, we simply use the hash value as a check. These accounts are slightly safer as they cannot be logged into.
- hash_value : This is the known password hash value that can be found in the table SYS.USER$
- commentary : This is simply text to illustrate what the users account is used for and also to discuss the privileges assigned to the account where relevant.
Here are the files:
|oracle_default_passwords.csv||Comma separated list of the Oracle default passwords and hashes.|
|oracle_default_passwords.sql||An SQL script that will insert all of the default password list into an Oracle (or other database!) table called OSP_ACCOUNTS. This is the database table used in Marcel-Jan's tool so this script can always be used to increase the list of default users you wish to check with that tool if this list gets increased.|
|oracle_default_passwords.xls||This is an MS Excel spreadsheet representation of the default password list. This is the same spreadsheet that is included with the default password checking tool archive.|
|oracle_default_passwords.sxc||This is an Open Office 1.0 spreadsheet representation of the default password list. This is the same spreadsheet that is included with the default password checking tool archive.|
|oracle_default_passwords.htm||This is a HTML representation of the Oracle default password list.|