Blog dedicated to Oracle Applications (E-Business Suite) Technology; covers Apps Architecture, Administration and third party bolt-ons to Apps

Tuesday, August 19, 2008

Oracle Applications password encryption

Stephen Kost has written an excellent white paper on Oracle Apps password encryption. Some key points from his white paper:

Oracle Applications 11i stores passwords in two tables: FND_USER and FND_ORACLE_USERID. The FND_USER table stores application user account passwords and the FND_ORACLE_USERID table stores internal Oracle Applications database account passwords. Both tables use the same encryption algorithm to protect the passwords.

The APPLSYS.FND_USER table contains all the application accounts. There are two password columns in this table: ENCRYPTED_FOUNDATION_PASSWORD and ENCRYPTED_USER_PASSWORD.

Column Value Encryption Key
ENCRYPTED_FOUNDATION_PASSWORD APPS password username/password
ENCRYPTED_USER_PASSWORD username/password APPS password

These two columns provide for a two-way encryption of the passwords –
1. if you know a username and password, you can get the APPS password = ENCRYPTED_FOUNDATION_PASSWORD
2. if you know the APPS password, you can get any user's password = ENCRYPTED_USER_PASSWORD

It is possible to decrypt APPS password or any front end user's password, if you have OS access and database access.

3 comments:

Gareth said...

Hi Vikram,

From 11i10 RUP 6 patch 5903765 you can run FNDCPASS USERMIGRATE to change password encryption to non reversible hash.

See my post here:
http://garethroberts.blogspot.com/2007/10/must-have-atg-rup-6-patch-5972626.html

Gareth

Vikram Das said...

Hi Gareth,

Thanks for the information. I'll test and see if the hack works after changing to non reversible hash.

- Vikram

Anonymous said...

Hi Vikram,

First let me thank you for your very informational blog. My request is can you please let us know (or) give the source of information on how to decrypt the password (assuming we have OS level access).

Your blog is a Rocking Place!!!!


Thanks
Althaf.