Finally, Oracle has made changes to the way they store passwords. Oracle 11g introduces a different algorithm (SHA1), supports mixed-case passwords and adds salts to stored passwords. This all sounds great EXCEPT that the old weaker hashes are still being stored in the sys.user$ table.
It seems as if several different people have been looking in to this at more or less the same time and have documented their efforts. One of them is Pete Finnigan http://www.petefinnigan.com/weblog/archives/00001097.htm. Recurity Labs have done a more technical analysis of the 150Mb Oracle Linux binary http://www.phenoelit.net/lablog/oracle.sl and conclude their work with this excellent comment:
“And we would like to welcome Oracle Corp. in the year 2007, the century of highly advanced, mixed-case passwords. 🙂 It should be noted that Oracle, in fine tradition, makes the same mistake Microsoft did a decade ago when they put the insecure LANMAN hash next to the brand new NTLM one. The table sys.user$ still holds the case insensitive DES encrypted password version next to the new one.”