1

I'm trying to understand the Oracle 11g password hashing algorithm, I found this link explaining how it is done, however, I have some confusion on how they say it's done. According to that link it goes like this:

  • Random 10 byte salt string is generated by oracle
  • The password and the salt string itself become one
  • Oracle runs the string through an SHA1 algorithm
  • The output is S:<HASH(password+salt)><SALT>

So for example:

>>> import hashlib
>>> d = hashlib.sha1()
>>> salt = "test"  # random salt (not 10 bytes)
>>> password = "testing"  # password
>>> password2 = password + salt  # salt and password become one
>>> print password2
testingtest
>>> d.update(password2)  
>>> data = d.hexdigest()  # hexdigest the password string (password+salt)
>>> hash_to_display = "s:{}{}".format(data, salt)  # return s:<HASH(pass+salt)><SALT>
>>> print hash_to_display.upper()
S:6B399DF23C6B76D667F5E043D2DD13407A2245BBTEST
>>>

Am I correct in assuming that this is how Oracle 11g does it's hashing?

13aal
  • 265
  • 1
  • 2
  • 8

1 Answers1

1

What you have matches the documentation I found (both official and not). Too bad, it's not as secure as it could be. Even if using SHA-1 (perhaps to be FIPS 140-2 compliant), one could run the data through many iterations to make it much harder to brute force.

Swashbuckler
  • 2,195
  • 10
  • 9
  • I found it hard to believe that this was how Oracle 11g hashed its password, as you said it's pretty insecure – 13aal Jun 25 '17 at 22:29