Hi! I'm looking for a way to validate a password within PL/SQL. I want to
write
CREATE PROCEDURE change_password(old_password IN VARCHAR2)
IS
BEGIN
-- check if old_password is correct... but how?
I can get the hashed value of the password from DBA_USERS, of course, but is
there a way to hash old_password to see if it matches? (I wouldn't be
surprised if Oracle doesn't supply access to its one-way password hashing
algorithm... too useful for a password cracker...)
I can't actually try a CONNECT statement from within PL/SQL, right? And even
if I could, that would kill my current connection, right? That's no good...
Of course, because the user logged in successfully, they obviously had the
correct password at one point. But what if they logged in, left their desk,
and now somebody else is trying to change their password? Limiting idle_time
in the user's profile reduces the risk of this, but it's also really
annoying, especially if the time is short enough to protect every stroll to
the coffeepot.
The PASSWORD command in SQL*Plus prompts for old password, but I'm trying to
put this in a procedure that can be called from a GUI.
OK, here's an idea! I can create a dummy user identified by the supplied
old_password, then SELECT PASSWORD FROM DBA_USERS to see if the hashed
password of the dummy user matches the hashed password of the application
user... nope, didn't work! Apparently the algorithm doesn't have a simple 1
clear-text-password: 1 hashed-password mapping; each username/password
combination gets a different result.
As you can see, I'm running out of ideas. Can anyone help?
Thanks very much!
- Catherine
http://profiles.yahoo.com/arcticturtle
----- Posted via NewsOne.Net: Free (anonymous) Usenet News via the Web -----
http://newsone.net/ -- Free reading and anonymous posting to 60,000+ groups
NewsOne.Net prohibits users from posting spam. If this or other posts
made through NewsOne.Net violate posting guidelines, email ab***@newsone.net