Monthly Archives: July 2012

Oracle 11g default passwords and hashes

Today I was asked to get the list of Oracle default password hashes. Immediately thought about Pete Finigan website which talks about all Oracle security issues.

Quickly I found this page with the list of hashes, but I was not convinced this would work on Oracle 11.1 and 11.2. This because with the latest Oracle versions the information can be in different columns (password, spare4 from sys.user$).

But then looking at MOS, I found the note Script to Check for Default Passwords Being Used for Common Usernames [ID 227010.1] where an interesting snipped is found:

The default password checker no longer exists in 11g, instead there is a
table in the data dictionary SYS.DEFAULT_PWD$ which contains the default
passwords and there is a view DBA_USERS_WITH_DEFPWD which shows which users
on the system are still using default passwords.

So it was now important to see if on my databases all the accounts which still have the defaults are locked (or better, deleted). A simple sql gave the answer:

SQL> select username , account_status
  3  natural join dba_users;

USERNAME                       ACCOUNT_STATUS
------------------------------ --------------------------------
APPQOSSYS                      EXPIRED & LOCKED
CTXSYS                         EXPIRED & LOCKED
EXFSYS                         EXPIRED & LOCKED
MDDATA                         EXPIRED & LOCKED
MDSYS                          EXPIRED & LOCKED
OLAPSYS                        EXPIRED & LOCKED
ORACLE_OCM                     EXPIRED & LOCKED
ORDDATA                        EXPIRED & LOCKED
ORDPLUGINS                     EXPIRED & LOCKED
ORDSYS                         EXPIRED & LOCKED
OUTLN                          EXPIRED & LOCKED
OWBSYS                         EXPIRED & LOCKED
SCOTT                          EXPIRED & LOCKED
WMSYS                          EXPIRED & LOCKED
XDB                            EXPIRED & LOCKED
XS$NULL                        EXPIRED & LOCKED

19 rows selected.