Call now: 252-767-6166  
Oracle Training Oracle Support Development Oracle Apps

 
 Home
 E-mail Us
 Oracle Articles


 Oracle Training
 Oracle Tips

 Oracle Forum
 Class Catalog


 Remote DBA
 Oracle Tuning
 Emergency 911
 RAC Support
 Apps Support
 Analysis
 Design
 Implementation
 Oracle Support


 SQL Tuning
 Security

 Oracle UNIX
 Oracle Linux
 Monitoring
 Remote s
upport
 Remote plans
 Remote
services
 Application Server

 Applications
 Oracle Forms
 Oracle Portal
 App Upgrades
 SQL Server
 Oracle Concepts
 Software Support

 Remote S
upport  
 Development  

 Implementation


 Consulting Staff
 Consulting Prices
 Help Wanted!

 


 Oracle Posters
 Oracle Books

 Oracle Scripts
 Ion
 Excel-DB  

Don Burleson Blog 


 

 

 


 

 

 

 

 

Enforcing Complex Passwords in 11g

Oracle 11g New Features Tips by Burleson Consulting
June 29, 2008

Oracle 11g New Features Tips

Case sensitive passwords improve the security for the database greatly and it is strongly recommended to use them because this feature makes it much more difficult for a potential hacker to break into the system. There is number of additional rules that apply to secure passwords which make the hackers? life more difficult. A secure password is always a complex password and Oracle strongly recommends the use of secure passwords.

A complex password contains:
  • At least 10 characters
  • A mixture of letters and numbers
  • Mixed case letters (11g!)
  • Symbols (11g!)
  • Little or no relation to an actual word

Oracle recommends customers to enforce checks and response actions for failed logins,  password complexity, password expiration and password reuse.

Password complexity can be implemented through profiles.

The script for password management implementation utlpwdmg.sql has been modified in 11g. It can be used to create a new function to verify password complexity rules. This function is an enhanced version of the verify_function from per 11g versions.

The default settings in the verify_function_11g for password complexity are:

  • minimum length of 8 characters

  • the password must not  be the reverse username

  • the password must not  be the username with a numeric suffix of 1-100

  • the password must not be oracle with a numeric suffix of 1-100

  • the password must not  be the  database?s name

  • the password must not  be the  database?s name with a numeric suffix of 1-100

  • the password must contain at least one digit and one character

  • a new password must differ at least in 3 positions from the old password

  • the password must not be a string from a predefine list (this list has also been adjusted in the 11g function)

The defaults for the default profile have also been modified in the script utlpwdmg.sql.

Some limits are automatically set if you create an 11g database using DBCA:

LUTZ AS SYSDBA @ orcl SQL> SELECT * FROM user_password_limits;

RESOURCE_NAME                    LIMIT
-------------------------------- ----------------------------------------
FAILED_LOGIN_ATTEMPTS            10
PASSWORD_LIFE_TIME               180
PASSWORD_REUSE_TIME              UNLIMITED
PASSWORD_REUSE_MAX               UNLIMITED
PASSWORD_VERIFY_FUNCTION         NULL
PASSWORD_LOCK_TIME               1
PASSWORD_GRACE_TIME              7

7 rows selected.

% Password complexity check is not enabled by default!
           You must create the verify function and alter the default profile manually to                enable it.

How to find accounts with default passwords in 11g

Oracle 11g comes with a great number of automatically created user accounts. The following table lists all default accounts of Oracle 11g Enterprise Edition:

User_name

Account_Status

ANONYMOUS

EXPIRED&LOCKED

APEX_PUBLIC_USER

EXPIRED&LOCKED

CTXSYS

EXPIRED&LOCKED

DBSNMP

EXPIRED&LOCKED

DIP

OPEN

DMSYS

EXPIRED&LOCKED

EXFSYS

EXPIRED&LOCKED

FLOWS_3000

EXPIRED&LOCKED

FLOWS_FILES

EXPIRED&LOCKED

HR

EXPIRED&LOCKED

LBACSYS

EXPIRED&LOCKED

MDDATA

EXPIRED&LOCKED

MDSYS

EXPIRED&LOCKED

MGMT_VIEW

OPEN

ODM

EXPIRED&LOCKED

ODM_MTR

EXPIRED&LOCKED

OE

EXPIRED&LOCKED

OLAPSYS

EXPIRED&LOCKED

ORACLE_OCM

EXPIRED&LOCKED

ORDPLUGINS

EXPIRED&LOCKED

ORDSYS

EXPIRED&LOCKED

OUTLN

EXPIRED&LOCKED

OWBSY

EXPIRED&LOCKED

PM

EXPIRED&LOCKED

PUBLIC

EXPIRED&LOCKED

QS

EXPIRED&LOCKED

QS_ADM

EXPIRED&LOCKED

QS_CS

EXPIRED&LOCKED

QS_ES

EXPIRED&LOCKED

QS_OS

EXPIRED&LOCKED

QS_WS

EXPIRED&LOCKED

RMAN

EXPIRED&LOCKED

SCOTT

EXPIRED&LOCKED

SH

EXPIRED&LOCKED

SI_INFORMTN_SCHEMA

EXPIRED&LOCKED

SPATIAL_CSW_ADMIN_USR

EXPIRED&LOCKED

SPATIAL_WFS_ADMIN_USR

EXPIRED&LOCKED

SYS

OPEN

SYSMAN

OPEN

SYSTEM

OPEN

TSMSYS

EXPIRED&LOCKED

WK_TEST

EXPIRED&LOCKED

WKPROXY

EXPIRED&LOCKED

WKSYS

EXPIRED&LOCKED

WMSYS

EXPIRED&LOCKED

XDB

EXPIRED&LOCKED

Default passwords are a serious threat and it is strongly recommended to change the passwords for all automatically created accounts right away after database creation. In previous releases it was necessary to use home grown code to find out which accounts still use the default password. The data dictionary of an 11g database can be queried for user accounts which are still using the initial default password.

The view dba_users_with_defpwd shows the DBA all accounts for which the password is still the default and thus should be changed immediately:

SYSTEM @ orcl111 SQL> SELECT * FROM dba_users_with_defpwd;

USERNAME
------------------------------
DIP
OUTLN
EXFSYS
XDB
WMSYS

 

This is an excerpt from the new book Oracle 11g New Features: Expert Guide to the Important New Features by John Garmany, Steve Karam, Lutz Hartmann, V. J. Jain, Brian Carr.

You can buy it direct from the publisher for 30% off.

 

 
��
 
 
 
 

 
 
 

 
Oracle performance tuning software 
 
oracle dba poster
Oracle Linux poster
 
 

 

Burleson is the American Team

Note: This Oracle documentation was created as a support and Oracle training reference for use by our DBA performance tuning consulting professionals.  Feel free to ask questions on our Oracle forum.

Verify experience! Anyone considering using the services of an Oracle support expert should independently investigate their credentials and experience, and not rely on advertisements and self-proclaimed expertise. All legitimate Oracle experts publish their Oracle qualifications.

Errata?  Oracle technology is changing and we strive to update our BC Oracle support information.  If you find an error or have a suggestion for improving our content, we would appreciate your feedback.  Just  e-mail:  and include the URL for the page.


                    









Burleson Consulting

The Oracle of Database Support

Oracle Performance Tuning

Remote DBA Services


 

Copyright ? 1996 -  2014

All rights reserved by Burleson

Oracle ? is the registered trademark of Oracle Corporation.