3 Replies Latest reply: Feb 6, 2014 12:03 AM by Emad Al-Mousa RSS

Passwords On The Wire

dbachaas Newbie
Currently Being Moderated

Are passwords entered in SQL*Plus (11g) encrypted on the wire when connecting to a remote database?  Can anyone point me to some Oracle documentation so I can document this?

Thanks.

  • 1. Re: Passwords On The Wire
    Justin Cave Oracle ACE
    Currently Being Moderated

    Yes, the password is encrypted on the wire.  Normally, the rest of the transaction is not encrypted so all the data flows in clear text though it is possible to configure the session so that the data exchange is also encrypted.

     

    I don't off the top of my head know of any documentation that states this.  I'm sure there are some Metalink documents out there that do, I'm just too lazy to search right at the moment.  You can enable SQL*Net tracing and/or use Wireshark, though, to confirm that.

     

    If you're one of the handful of folks that really dig in to the Oracle authentication process, it's a bit convoluted.  But the server does (after some handshaking) give the client a session ID that is used by the session to encrypt the password.

     

    Justin

  • 2. Re: Passwords On The Wire
    DavidAWJohnson Newbie
    Currently Being Moderated

    Short answer is "Yes, the password is encrypted as part of the login process"

     

    Long answer: Is the Password Encrypted when I Logon and Other Related Questions (Doc ID 271825.1)

  • 3. Re: Passwords On The Wire
    Emad Al-Mousa Journeyer
    Currently Being Moderated

    as justin stated, the password will be encrypted. However, the data won't be encrypted unless you enable "network encryption" through sqlnet.ora configuration.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points