How Oracle Stores Passwords


Several years ago I wrote a small summary of the Oracle password hashing and storage for versions up to 11g.

Today I’ve completed my update of that article up to 12.1.0.2, including code to mimic generation of passwords given the appropriate salts.
The initial publication is in PDF format, I may convert and reformat it to other forms for better distribution.

The pdf file can be downloaded from my dropbox here.

It was interesting and enjoyable digging into the details of the hashes and how they change between versions and interact with the case-sensitivity settings.

I hope you enjoy it as much as I did writing it.

Let’s get started!


Welcome to my blog about Oracle database development. I’m also interested in math and frequently write pl/sql and sql snippets to solve various math problems.

For example, here’s an article I wrote about solving a combinatorics problem found in dart games like 301,501,701, etc.

Fun with Oracle SQL – Solving Checkouts in a Game of 501 Darts – Oracle, SQL, Darts, Combinatorics

That article used a purely SQL solution,  I also ported the Mersenne Twister pseudo-random number generator algorithm to pl/sql.  Tackling that was both fun and frustrating.  Fun because it was an interesting task both mathematically and programmatically.  It was frustrating at the same time though because much of the algorithm is based on pointer manipulation which doesn’t exist within the context of pl/sql, so I had to fake it procedural get/set operations.  The final solution I came up successfully mimics all of the functionality of the original SIMD oriented Fast Mersenne Twister(SFMT) by Mutsuo Saito and Makoto Matsumoto.  In addition I allowed parameterization of the mersenne exponent which the original c version only supported by recompiling.  However, the pl/sql implementation is much slower than the original c (even with native compilation.)  I implemented the pl/sql port largely for academic interest, not as a production-ready solution.  However it does work and for small scale testing the performance may be adequate.

I hope those articles give a good example of the type of code you might find here and whet your appetite for more.


%d bloggers like this: