Oracle Default Password Checker

It’s amazing how much stuff you come across years after it was released by Oracle, like the view DBA_USERS_WITH_DEFPWD. It lists many standard or common database accounts where you still have a default password set. If you combine this with the DBA_USERS view, you can see instantly where you may have a gaping security hole…


select def.username,usr.account_status
from dba_users_with_defpwd def, dba_users usr
where def.username = usr.username

USERNAME ACCOUNT_STATUS
------------------------------ --------------------------------
ORACLE_OCM EXPIRED & LOCKED
XDB EXPIRED & LOCKED
OLAPSYS EXPIRED & LOCKED
WMSYS EXPIRED & LOCKED
DBSNMP EXPIRED & LOCKED
DIP EXPIRED & LOCKED
OUTLN EXPIRED & LOCKED
EXFSYS EXPIRED & LOCKED
CTXSYS EXPIRED & LOCKED
XS$NULL EXPIRED & LOCKED
APPQOSSYS EXPIRED & LOCKED

If those accounts aren’t expired & locked, your database is wide open.

To see which accounts are being checked (with their default hashes), run:


select substr(user_name,1,20) username,substr(pwd_verifier,1,20) pwd_hash
from sys.default_pwd$
order by 1

In 11.2.0.3, there are 841 accounts being verified… have you left your flies undone?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 26 other followers

%d bloggers like this: