Pete Finnigan's Oracle Security Forum
        (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
      

        Database Security >> Database Security >> Null Passwords
        
(Message started by: Pete Finnigan on Aug 3rd, 2006, 2:21pm)
Title: Null Passwords
Post by Pete Finnigan on Aug 3rd, 2006, 2:21pm
Do any Oracle DB versions allow null passwords? If that is the case would the PASSWORD field not have a hash in it or would it just be the hashed username?
Title: Re: Null Passwords
Post by Pete Finnigan on Aug 6th, 2006, 4:55pm
Hi,

I tested this some time ago on an earlier version, could have been 8.1.7 but not sure. It should not allow NULL passwords now, although I have seen old documentation that talked about null passwords. The simplest way is to test if its possible. I dont have Oracle installed on this machine to try it myself though.

cheers

Pete
Title: Re: Null Passwords
Post by Pete Finnigan on Aug 15th, 2006, 2:00pm
On Oracle 9.2:

create user nothing identified by "";

This results in:

ORA-01741: illegal zero-length identifier
Title: Re: Null Passwords
Post by Pete Finnigan on Aug 15th, 2006, 3:38pm
Hi Marcel-Jan,

Thanks for the test confirmation. I think it was possible in much earlier versions of Oracle to set a null password.

I cannot recall the security check list that suggested checking for null passwords but I guess it was possible at one time?

cheers

Pete
Title: Re: Null Passwords
Post by Pete Finnigan on Aug 15th, 2006, 3:49pm
I found an old 8.1.7.4.1 database which gives exactly the same message on this statement.

Same with an alter user statement.
Title: Re: Null Passwords
Post by Pete Finnigan on Aug 15th, 2006, 5:06pm
Ok, thanks for that, i was thinking in terms of 7.1.6 or even version 6

cheers

Pete
Title: Re: Null Passwords
Post by Pete Finnigan on Aug 15th, 2006, 5:12pm
Oh I'm fresh out of databases of those versions :)
Title: Re: Null Passwords
Post by Pete Finnigan on Aug 16th, 2006, 5:08pm
Hi,

On oracle 7.3.4.0

Code:
sql> create user bla identified by "";
ORA-01741: illegal zero-length identifier


regards,

Ivan
Title: Re: Null Passwords
Post by Pete Finnigan on Aug 17th, 2006, 9:17am
Thanks Ivan,

I guess the other option is that whoever wrote a checklist that included a check for null passwords simply created that list based on some other system such as an OS. I know i definately saw a checklist that showed a check for null passwords but i was never sure it was possible to set a null password, i know I had tested it in the past and whatever version i tested it on it wasnt passible.

I guess we have confirmed back to any possible versions that people are using live. There could be a small number of 7.2 or 7.1.6 or even Oracle 6 database still live i guess!

cheers

Pete


Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board