Pete Finnigan's Oracle Security Weblog

I have just added a page to my site that lists 596 default Oracle users and their passwords. The list is available as HTML, CSV, SQL insert statements to load the data into a table, MS Excel spreadsheet and Open Office spreadsheet. The list can be used to audit your database for existing default accounts and to check that their passwords are not still the default values.

I have also updated the default password check script archive that I talked about recently and released on my web site to include the much bigger list of default users. I also fixed the table definition so that invalid passwords that have been set can be stored and checked. This is done when a password is set by the ALTER USER {BLAH} IDENTIFIED BY VALUES 'INVALID_PASSWORD' syntax. In this case there can never be a valid password but we can still test the hash value stored to see if it’s the default value. I have also updated the check script zip file to include a new spreadsheet that has been updated as above and also I include a new SQL data insert script to allow the check tool to be used to test the complete list of default accounts against your databases. The list also includes where it’s available a description of what the default accounts are used for.

I have actually created the list in an Oracle database so that it can be easily updated. I have also created some simple PL/SQL scripts that will re-create the SQL, CSV, HTML and spreadsheets with a little manual cleaning up afterwards. I plan to move the table to mysql and use perl to generate the files so that the whole thing can live on my site. I also plan to be able to update and add new default users and hashes via a web interface and possibly add searching of the list to make it easier for people to find details on default user accounts.

Again the list is available here and the check scripts here.