Oracle Database Tips by Donald BurlesonConsulting
The default values
for Oracle password security is very weak and special measures must
be taken to strengthen Oracle password security. We can use
these password security mechanisms with
security for Oracle (fingerprint readers) to ensure Oracle
Security Catalog Script
You can get an
idea about scripting Oracle password security profiles by examining
Oracle's utlpwdmg.sql script located in $ORACLE_HOME/rdbms/admin/utlpwdmg.sql.
The script notes:
. . .
Rem utlpwdmg.sql - script for Default Password Resource Limits
. . .
-- This script sets the default password resource parameters
-- This script needs to be run to enable the password features.
-- However the default resource parameters can be changed based
-- on the need.
-- A default password complexity function is also provided.
-- This function makes the minimum complexity checks like
-- the minimum length of the password, password not same as the
-- username, etc. The user may enhance this function according
-- the need.
-- This function must be created in SYS schema.
-- connect sys/ as sysdba before running the script
password profile security syntax
Oracle password security
is implemented via Oracle "profiles" which are assigned to users.
Here is the Oracle security profile syntax:
profile_name LIMIT pw_limit(s) range
pw_limit = PASSWORD_LIFE_TIME
range = UNLIMITED | DEFAULT |
by creating security "profiles" in Oracle and then alter the user to
belong to the profile group. Here is psuedocode for creating a
user fred identified by flintstone profile all_users;
the following "alter profile" parameters, which are invoked as;
failed_login_attempts = 4;
password security profile parameters
the password security parameters:
failed_login_attempts - This is the number of failed login
attempts before locking the Oracle user account. The default in
11g is 10 failed attempts.
password_grace_time - This is the grace period after the
password_life_time limit is exceeded.
password_life_time - This is how long an existing password
is valid. The default in 11g forces a password change every 180
password_lock_time - This is the number of days that
must pass after an account is locked before it is unlocked.
It specifies how long to lock the
account after the failed login attempts is met. The default in
11g is one day.
password_reuse_max - This is the number of times that you
may reuse a password and is intended to prevent repeating
password cycles (north, south, east, west).
password_reuse_time - This parameter specifies a time limit
before a previous password can be re-entered. To allow unlimited
use of previously used passwords, set password_reuse_time
password_verify_function - This allows you to specify the
name of a custom password verification function.
Password Security with Biometrics
Biometrics and facial recognition to enforce the identity of an
Oracle user we acknowledge that failed login attempts will be very
rare because the user/password combination will be fed by the
security software and the end-user will never know the actual value
of their username or their Oracle password. Hence:
passwords can be very strong (8 characters, with numbers).
changes will be cumbersome because the biometric software must
lockdown must be harsh because there will never be a username
with an invalid password coming from the biometrics (facial
recognition, fingerprint reader).
Hence we want user
profile that force a very strong password, keep the password for a
long time, and complain loudly of there is a username is disabled
for failed password attempts:
Password Security References
Oracle security links: