{"id":327,"date":"2011-02-02T08:00:57","date_gmt":"2011-02-02T08:00:57","guid":{"rendered":"http:\/\/www.oradba.ch\/?p=327"},"modified":"2014-05-16T07:37:18","modified_gmt":"2014-05-16T05:37:18","slug":"case-sensitive-passwords-and-strong-user-authentication-2","status":"publish","type":"post","link":"https:\/\/www.oradba.ch\/wordpress\/2011\/02\/case-sensitive-passwords-and-strong-user-authentication-2\/","title":{"rendered":"Case Sensitive Passwords and Strong User Authentication"},"content":{"rendered":"

With 11g R1 Oracle introduced case sensitive passwords for database accounts based on the SHA1 hash algorithm. This feature can easily be enabled with the init.ora parameter SEC_CASE_SENSITIVE_LOGON<\/em>. As soon as this parameter is set to true, all new passwords will be case sensitive. Existing passwords will remain case insensitive until they are changed.
\nThe downside of this new feature is, that the passwords are also stored with the pre-11g database password hash. This is a potential security leak. The pre-11g password hash string from USER$<\/em> can be used to crack the case insensitive version of the password. All kind of tools, utilities, password lists etc are available to do this. As soon as the case insensitive version of the password is known, the case sensitive password can be guessed.<\/p>\n

Case Sensitiv Passwords<\/h3>\n

First of all lets have a look at the parameter of an 11g R2 test database.
\n
\nshow parameter sec_case_sensitive_logon<\/p>\n

NAME TYPE VALUE
\n------------------------- -------- ---------
\nsec_case_sensitive_logon boolean TRUE
\n<\/code>
\nThe Column PASSWORD_VERSIONS<\/em> in DBA_USERS shows the Database version in which the password was created or changed. The user TEST_10G shows only 10g which means that this user has been created before the database has been migrated to 11g and was never changed.
\n
\nSELECT username, password_versions
\nFROM dba_users
\nWHERE username LIKE 'TEST%';<\/p>\n

USERNAME PASSWORD
\n--------------- --------
\nTEST 10G 11G
\nTEST_11G 10G 11G
\nTEST_10G 10G
\n<\/code>
\nThe Password hashes for both the 11g (SPARE4<\/em>) and pre-11g hashes (PASSWORD<\/em>)
\n
\nset linesize 120
\ncol name for a10
\ncol password for a16
\ncol spare4 for a50
\nselect name,password,spare4 from user$ where name like 'TEST%';<\/p>\n

NAME PASSWORD SPARE4
\n---------- ---------------- --------------------------------------------------
\nTEST 7A0F2B316C212D67 S:7D5C8604CDF7811E06DAA7C718ADB3684A883CE7521CF5C0
\n 66721877D457
\nTEST_10G 48AFCE9CD794074D
\nTEST_11G AE6FC028DF3997FC S:CFD77E59711BC61589C6631C1F824CFC0966972D01599EF6
\n ED1558A2046F
\n<\/code>
\nAs you can see user TEST and TEST_11G have a pre-11g Hash and the long 11g Hash. The user TEST_10G only have a pre-11g Hash. This indicates that the user has been created before the database was migrated to 11g and the password never has been changed. Therefor the password for this user is case insensitive even when the parameter SEC_CASE_SENSITIVE_LOGON<\/em> is set to true.<\/p>\n

To enable or disable case sensitive passwords just alter the init.ora parameter.
\n
\nalter system set SEC_CASE_SENSITIVE_LOGON=true scope=spfile;
\nalter system set SEC_CASE_SENSITIVE_LOGON=false scope=spfile;
\n<\/code><\/p>\n

Increase Security<\/h3>\n

The Idea<\/h4>\n

The security can be increase when case sensitive password are used and logon’s are limited to the 11g authentication protocols. This can be achievement by setting the sqlnet parameter SQLNET.ALLOWED_LOGON_VERSION<\/em> to 11. As soon as this has been done the pre-11g hashes can be removed from USER$. <\/p>\n

In detail the following steps are required to enable Oracle Database 11g exclusive mode and increase database security.<\/p>\n