Oracle's Password Hashing
Here's a paper on Oracle's password hashing algorithm. It isn't very good.
In this paper the authors examine the mechanism used in Oracle databases for protecting users' passwords. We review the algorithm used for generating password hashes, and show that the current mechanism presents a number of weaknesses, making it straightforward for an attacker with limited resources to recover a user's plaintext password from the hashed value. We also describe how to implement a password recovery tool using off-the-shelf software. We conclude by discussing some possible attack vectors and recommendations to mitigate this risk.
Posted on November 3, 2005 at 1:20 PM • 23 Comments