Enforcing Complex Passwords in 11g

Case sensitive passwords improve the security for the database greatly and it is strongly recommended to use them because this feature makes it much more difficult for a potential hacker to break into the system. There is number of additional rules that apply to secure passwords which make the hackers? life more difficult. A secure password is always a complex password and Oracle strongly recommends the use of secure passwords.

Oracle recommends customers to enforce checks and response actions for failed logins,  password complexity, password expiration and password reuse.

Password complexity can be implemented through profiles.

The script for password management implementation utlpwdmg.sql has been modified in 11g. It can be used to create a new function to verify password complexity rules. This function is an enhanced version of the verify_function from per 11g versions.

The default settings in the verify_function_11g for password complexity are:

• minimum length of 8 characters

• the password must not  be the reverse username

• the password must not  be the username with a numeric suffix of 1-100

• the password must not be oracle with a numeric suffix of 1-100

• the password must not  be the  database's name

• the password must not  be the  database's name with a numeric suffix of 1-100

• the password must contain at least one digit and one character

• a new password must differ at least in 3 positions from the old password

• the password must not be a string from a predefine list (this list has also been adjusted in the 11g function)

The defaults for the default profile have also been modified in the script utlpwdmg.sql.

Some limits are automatically set if you create an 11g database using DBCA:

LUTZ AS SYSDBA @ orcl SQL> SELECT * FROM user_password_limits;

RESOURCE_NAME                    LIMIT
-------------------------------- ----------------------------------------
FAILED_LOGIN_ATTEMPTS            10
PASSWORD_LIFE_TIME               180
PASSWORD_REUSE_TIME              UNLIMITED
PASSWORD_REUSE_MAX               UNLIMITED
PASSWORD_VERIFY_FUNCTION         NULL
PASSWORD_LOCK_TIME               1
PASSWORD_GRACE_TIME              7

7 rows selected.

Oracle 11g comes with a great number of automatically created user accounts. The following table lists all default accounts of Oracle 11g Enterprise Edition:

User_name	Account_Status
ANONYMOUS	EXPIRED&LOCKED
APEX_PUBLIC_USER	EXPIRED&LOCKED
CTXSYS	EXPIRED&LOCKED
DBSNMP	EXPIRED&LOCKED
DIP	OPEN
DMSYS	EXPIRED&LOCKED
EXFSYS	EXPIRED&LOCKED
FLOWS_3000	EXPIRED&LOCKED
FLOWS_FILES	EXPIRED&LOCKED
HR	EXPIRED&LOCKED
LBACSYS	EXPIRED&LOCKED
MDDATA	EXPIRED&LOCKED
MDSYS	EXPIRED&LOCKED
MGMT_VIEW	OPEN
ODM	EXPIRED&LOCKED
ODM_MTR	EXPIRED&LOCKED
OE	EXPIRED&LOCKED
OLAPSYS	EXPIRED&LOCKED
ORACLE_OCM	EXPIRED&LOCKED
ORDPLUGINS	EXPIRED&LOCKED
ORDSYS	EXPIRED&LOCKED
OUTLN	EXPIRED&LOCKED
OWBSY	EXPIRED&LOCKED
PM	EXPIRED&LOCKED
PUBLIC	EXPIRED&LOCKED
QS	EXPIRED&LOCKED
QS_ADM	EXPIRED&LOCKED
QS_CS	EXPIRED&LOCKED
QS_ES	EXPIRED&LOCKED
QS_OS	EXPIRED&LOCKED
QS_WS	EXPIRED&LOCKED
RMAN	EXPIRED&LOCKED
SCOTT	EXPIRED&LOCKED
SH	EXPIRED&LOCKED
SI_INFORMTN_SCHEMA	EXPIRED&LOCKED
SPATIAL_CSW_ADMIN_USR	EXPIRED&LOCKED
SPATIAL_WFS_ADMIN_USR	EXPIRED&LOCKED
SYS	OPEN
SYSMAN	OPEN
SYSTEM	OPEN
TSMSYS	EXPIRED&LOCKED
WK_TEST	EXPIRED&LOCKED
WKPROXY	EXPIRED&LOCKED
WKSYS	EXPIRED&LOCKED
WMSYS	EXPIRED&LOCKED
XDB	EXPIRED&LOCKED

Default passwords are a serious threat and it is strongly recommended to change the passwords for all automatically created accounts right away after database creation. In previous releases it was necessary to use home grown code to find out which accounts still use the default password. The data dictionary of an 11g database can be queried for user accounts which are still using the initial default password.

The view dba_users_with_defpwd shows the DBA all accounts for which the password is still the default and thus should be changed immediately:

SYSTEM @ orcl111 SQL> SELECT * FROM dba_users_with_defpwd;

USERNAME
------------------------------
DIP
OUTLN
EXFSYS
XDB
WMSYS