In Oracle 10g and all previous versions, the password is not encrypted at all. It is simply a DES hash that is salted with the username, both of which can be found quite easily in the DBA_USERS view. DES strength is based more on the length of the hashed password than the complexity (which is hobbled by the passwords being converted to capital letters, and there are also some special characters that cannot be used). In Oracle 11g, if backwards compatibility is not necessary, SHA-1 is used exclusively, uses an unlisted salt, and is a much harder nut to crack.
Unfortunately, hashing is a one-way trip. When your password is authenticated, your plain text password isn't compared. Instead, your submission is run through the same hashing algorithm, and the results are compared. If the hash of your submission and the stored hash match, you are authenticated. This means that there is no recovering of keys to unencryptthe password; the most effective method of cracking the hash is to guess the password. Luckily, these days we can generate a lot of guesses per second.
Your best bet is to use one of the very effective Oracle password crackers available, such as Red-Database-Security.com's Checkpwd or John the Ripper. Both are free and work on nearly every platform/OS. CheckPwd uses a dictionary attack and given the dictionary files available (you can always tailor your own as well), it is very effective. John the Ripper has both dictionary and brute force attacks. A well-crafted dictionary attack is often very productive and amazingly fast because of its focused nature. If brute force is used on a modern desktop system, it will crack passwords under six characters in anywhere from a few minutes to a couple of hours. Any password over eight characters will take a few days.
I hope this helps you out, and I wish you the best of luck!
This was first published in August 2009