Retrieve Oracle password from Toad for Oracle

转载 2015年11月17日 18:06:44

One of the oldest feature Dell Toad has is saving login passwords. This is accomplish easy with enabling check box "Save passwords" on login screen. 

The whole connection process is defined through three files located in %USERPROFILE%\AppData\Roaming\Quest Software\Toad for Oracle\11.6\User Files\, where "11.6" is Toad version and may vary in your cases: 
Passwords are stored in encrypted way in CONNECTIONPWDS.INI file. However they are not exposed in any normal way (you can read them) but only to use them as login without knowing password, which was once placed. This may raised some security issue, which I'll cover at the end. But having stored passwords allow Toad many beautiful automation and wide a lot actions that might need password as input. However, saving passwords also gave me additional feature (which is originally mine trick)-a way to retrieve Oracle passwords from any saved connection.

The solution

The trick is based on another Toad for Oracle feature-get SQL for any kind of DDL action, which was performed through GUI, in this case creating db link. Here is what you have to do to retrieve scott password:
  1. Connect in Toad as any user for which you DO NOT WANT TO RETRIEVE password (in mine case this is vadas user)
  2. Choose Database|Create|DB Link menu item
  3. Fill data as shown in the picture: 

    As you can see I have chosen scott user and password is automatically retrieved from saved passwords file.
  4. Choose Show SQL as shown in the picture and you'll get pure SQL which contains password 

And that's it! Pretty cool isn't it? 
The trick is working for every user's password. In next case I'm showing how to retrieve sys password, retrieved through scott connection. 

The End

Someone might say this is security issue, but I do strongly think it is not! Mentioned file with stored passwords is encrypted with two keys:
  1. Domain user name
  2. Some kind of workstation unique hash value
These ensures that password file cannot be copied to another workstation and Domain admins (or other privileged users on that workstation) cannot use that file in any way! For me this is more then fair insurance. 

Keep in mind that newer releases of Toad do not use "workstation unique hash value", but only domain username as a pattern for hashing. Check and test before dropping old laptop data. For the end let me tell that if someone find storing password as a security issue regardless motioned, he/she can always disable that option and live with shorter 
Hope this helps someone. 



Toad for Oracle 介绍

软件名称:《Toad for Oracle》 软件语言: 英语 运行环境: 2000/XP 软件大小: 53677K 软件分类: 编程开发/数据库工具 Toad for Oracl...

Toad for Oracle工具的使用

转自:   Toad for Oracle工具的使用 出处:转载 [注意:单击图片可...



获取MySQL加密密码并验证用户输入(登录界面),retrieve hashpwd from mysql and compare with input password on login

获取MySQL加密密码并验证用户输入(登录界面),retrieve hashpwd from mysql and compare with input password on login