Stephen Kost has written an excellent white paper on Oracle Apps password encryption. Some key points from his white paper:
Oracle Applications 11i stores passwords in two tables: FND_USER and FND_ORACLE_USERID. The FND_USER table stores application user account passwords and the FND_ORACLE_USERID table stores internal Oracle Applications database account passwords. Both tables use the same encryption algorithm to protect the passwords.
The APPLSYS.FND_USER table contains all the application accounts. There are two password columns in this table: ENCRYPTED_FOUNDATION_PASSWORD and ENCRYPTED_USER_PASSWORD.
Column Value Encryption Key
ENCRYPTED_FOUNDATION_PASSWORD APPS password username/password
ENCRYPTED_USER_PASSWORD username/password APPS password
These two columns provide for a two-way encryption of the passwords –
1. if you know a username and password, you can get the APPS password = ENCRYPTED_FOUNDATION_PASSWORD
2. if you know the APPS password, you can get any user's password = ENCRYPTED_USER_PASSWORD
It is possible to decrypt APPS password or any front end user's password, if you have OS access and database access.