(1) does anyone know the algorithm which Oracle uses to encrypt passwords?
I see that they are stored in DBA_USERS, but it doesn't seem to be DES...
Does a password auditing program for "vanilla" Oracle authentication
and/or Oracle applications exist which will run a dictionary attack?

(2) Is it possible to test the strength of a user's password when they
change it?  I must test the strength of passwords in both "vanilla" Oracle
(ie. alter user <x> identified by <y>) and that in Oracle financials.  I
assume that I can write a trigger in Financials to intercept poor
passwords.  Is it possible to do so with the traditional Oracle
authentication mechanism (when a user changes password via alter)?

Thank you very much for any help you can give me.. This is driving me
crazy :)

--
Craig Nelson - [email protected]
http://www.clark.net/pub/cn

you can develop a crack like program though to probe the userids.  there is 3'rd
party software that does this (braintree sql secure for example).  You could do
it by creating another empty database and creating the users in it and putting
the contents of your dba_users table into another table (eg: in the new
database, issue "create table user_passwords as select username, password from
dba_users@the_real_database").

Now, you can alter each user with 'easy' passwords, comparing the digest created
for them against the digest you selected over from the other database.  if they
match -- you know the password.

again, 3'rd party software does this (you can buy this)

(2)

if you have 8.0, yes for the database.  (for apps, i don't know).  For the
database, you have your own procedure you can have run to validate a password is
'ok'.  see the server admin guide.