Normally, when I connect to Oracle, I don’t worry about case sensitivity of my password.
But today, when I was trying to connect Oracle, I was contineously getting following error.
Flashing message “ORA-01017: invalid username/password; logon denied
Warning: You are no longer connected to ORACLE.”.
I was out of clue why exactly this is happening as I was providing right username and password!
I became little bit irritated, what’s wrong am I doing.
Usually I provide username and password in small case as I know that Oracle is case insensitive. So for a change I tried the same username and password with upper case and it get connected.
I did little bit more R&D over this and I found that from Oracle 11g onwards, Oracle has decided to be little bit case sensitive.
Let me show you with example.
Illustration:
Connected to:
Oracle Database 11g Enterprise Edition Release 11.1.0.6.0 - Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SYSTEM@ orcl>ALTER USER FLEETWIZ IDENTIFIED BY FLEETwiz;
User altered.
SYSTEM@ orcl>conn
Enter user-name: fleetWIZ/fleetwiz
ERROR:
ORA-01017: invalid username/password; logon denied
Warning: You are no longer connected to ORACLE.
@ >
Then I tried with…
@ >conn FLEETwiz/FLEETwiz
Connected.
FLEETWIZ@ orcl>
Now Check on Db 10g
——————–
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the Partitioning, OLAP and Data Mining options
SYSTEM@ db>ALTER USER FLEETWIZ IDENTIFIED BY FLEETwiz;
User altered.
SYSTEM@ orcl>conn
Enter user-name: fleetWIZ/fleetwiz
Connected.
FLEETWIZ@ db>
FLEETWIZ@ db>conn
Enter user-name: FLEETWIZ/fleetwiz
Connected.
FLEETWIZ@ db>
Wow, Interesting :=)
Suffice to say that now Oracle doesn’t care about the “username” whether it is being provided in upper/lower/mixed case but the password for authentication must be in same case as original password.
5 responses so far ↓
1 Dashboards // Feb 12, 2008 at 7:55 am
Hi,
I have been working on an Oracle DBA/Sysadmin Dashboard. What do you think are the key ingredients of a DBA dashboard?
Your opinion is highly regarded
Regards
Nilesh
Dashboards
2 Rajender Singh // Feb 12, 2008 at 8:32 am
Hi Nilesh,
I think you can divide dashboard into following category and then think what you want to show.
Information about CPU (Concentration on Shortage)
Information about Space (Concentration on Shortage)
Information about Sessions( (Concentration on Consumption)
Information about SQL (Concentration on Consumption and Response time)
Above are some of things I would like to see if looking at Dashboard of my database.
Regards,
Rajender
3 David Fitzjarrell // Mar 10, 2008 at 9:13 pm
Yes, up until 11g Oracle was case-insensitive with respect to passwords and this is clearly explained in the password hashing algorithm:
1. Concatenate the username and the password to produce a plaintext string;
2. Convert the plaintext string to uppercase characters;
3. Convert the plaintext string to multi-byte storage format; ASCII characters have the high byte set to 0×00;
4. Encrypt the plaintext string (padded with 0s if necessary to the next even block length) using the DES algorithm in cipher block chaining (CBC) mode with a fixed key value of 0×0123456789ABCDEF;
5. Encrypt the plaintext string again with DES-CBC, but using the last block of the output of the previous step (ignoring parity bits) as the encryption key. The last block of the output is converted into a printable string to produce the password hash value.
Note Step #2; obviously this step has been modified in 11g as a security enhancement reported in a number of Oracle-related blogs as early as October of last year, and also noted in the ‘11g New Features’ document provided by Oracle Corporation. Along with this comes a new SHA-1 encryption algorithm and a stronger password hash.
It’s too bad you didn’t read the new features documentation for 11g. It would have saved you aggravation and the needless experiment.
4 Rajender Singh // Mar 11, 2008 at 11:11 am
Hello David,
That’s a very nice insight view on how Oracle is handling the Password authentication!
Thanks a lot!
Great work.
Regards,
Raj
5 Anand // Mar 11, 2008 at 11:13 am
Hi David,
Thank you very much for explaining me the password hashing algorithm.
Leave a Comment