4.3. Default Usernames and Passwords
No other bit of software has more well-known default usernames and passwords than Oracle. Username and password combinations are the first line of defense an attacker will try to compromise to gain authenticated access to the system. The more common ones are as follows:
SYS/CHANGE_ON_INSTALL SYSTEM/MANAGER DBSNMP/DBSNMP CTXSYS/CTXSYS MDSYS/MDSYS SCOTT/TIGER
A full list can be found in the appendix.
While it is not common to find the SYS or SYSTEM account with a default password, DBSNMP, the Intelligent Agent account, is often found to have the default password left intact. This is probably because the password needs to be changed in two places if you still want the Intelligent Agent to work. The first password change occurs in the database; the second password change needs to happen in the snmp_rw.ora file. Both CTXSYS and MDSYS, both DBAs in 9i, are often found with their default passwords left intact, too, though not as much as DBSNMP.
With the introduction of 10g, the situation improved drastically. During the install process, the installer is prompted for a password for the SYS account. This same password can then be set for the SYSTEM, DBSNMP, and SYSMAN accounts, too. All other accounts are set to EXPIRED and LOCKED. EXPIRED means the default password has expired and must be changed. However, for the default accounts and the default profile, the password can be changed to its original. People often do this so their older applications, ...
Get The Oracle® Hacker's Handbook: Hacking and Defending Oracle now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
