Oracle 11g default passwords and hashes
Today I was asked to get the list of Oracle default password hashes. Immediately thought about Pete Finigan website which talks about all Oracle security issues.
Quickly I found this page with the list of hashes, but I was not convinced this would work on Oracle 11.1 and 11.2. This because with the latest Oracle versions the information can be in different columns (password, spare4 from sys.user$).
But then looking at MOS, I found the note Script to Check for Default Passwords Being Used for Common Usernames [ID 227010.1] where an interesting snipped is found:
The default password checker no longer exists in 11g, instead there is a
table in the data dictionary SYS.DEFAULT_PWD$ which contains the default
passwords and there is a view DBA_USERS_WITH_DEFPWD which shows which users
on the system are still using default passwords.
So it was now important to see if on my databases all the accounts which still have the defaults are locked (or better, deleted). A simple sql gave the answer:
SQL> select username , account_status 2 from DBA_USERS_WITH_DEFPWD 3 natural join dba_users; USERNAME ACCOUNT_STATUS ------------------------------ -------------------------------- APPQOSSYS EXPIRED & LOCKED CTXSYS EXPIRED & LOCKED EXFSYS EXPIRED & LOCKED MDDATA EXPIRED & LOCKED MDSYS EXPIRED & LOCKED OLAPSYS EXPIRED & LOCKED ORACLE_OCM EXPIRED & LOCKED ORDDATA EXPIRED & LOCKED ORDPLUGINS EXPIRED & LOCKED ORDSYS EXPIRED & LOCKED OUTLN EXPIRED & LOCKED OWBSYS EXPIRED & LOCKED SCOTT EXPIRED & LOCKED SI_INFORMTN_SCHEMA EXPIRED & LOCKED SPATIAL_CSW_ADMIN_USR EXPIRED & LOCKED SPATIAL_WFS_ADMIN_USR EXPIRED & LOCKED WMSYS EXPIRED & LOCKED XDB EXPIRED & LOCKED XS$NULL EXPIRED & LOCKED 19 rows selected.