I recently read this article which i though sounded a bit worrying about oracle security and hashes: http://www.red-database-security.com/whitepaper/oracle_passwords.html It claims no end of areas whereby hashes/and evern plain text passwords could reside i.e Location of Oracle password hashes Database - SYS.USER$ - Password Oracle Password File Data File of the system tablespace (full) Export-Files archive logs Oracle database passwords in cleartext Cleartext passwords can be typically but not necessarily found at the following places Server Shell History files Unix Scripts Log Files Dump Files Trace Files Application Server JDBC-Config-Files Trace Files DBA Client PC Desktop-Shortcut Batch-Files Configuration files of Oracle Tools (like connections.ini) Trace Files I have seen BKF files exposed on open shares which I guess could be used to get passwords, and also passwords in comments fields associated with domain accounts via ADUC and also local accounts in the description field. What I wondered is on windows servers is there anywhere else password hashes could be obtained by a malicious insider, or even plain text passwords - and any mitigating controls to protect these?

Hello, plain text password can be sent in clear text depending of the used protocol. What is sure is that password are hashed in AD. If someone obtains the hash then he can obtain the password using Brute Force attack. If he is unable to obtain the hash, he can perform a brute force attack or a dictionary attack to obtain a password. In this case, a lockout policy can be implemented in your domain to avoid such thing. For Oracle questions, ask Oracle Technical Support. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified IT Professional: Enterprise Administrator