Call now: 252-767-6166  
Oracle Training Oracle Support Development Oracle Apps

 
 Home
 E-mail Us
 Oracle Articles


 Oracle Training
 Oracle Tips

 Oracle Forum
 Class Catalog


 Remote DBA
 Oracle Tuning
 Emergency 911
 RAC Support
 Apps Support
 Analysis
 Design
 Implementation
 Oracle Support


 SQL Tuning
 Security

 Oracle UNIX
 Oracle Linux
 Monitoring
 Remote s
upport
 Remote plans
 Remote
services
 Application Server

 Applications
 Oracle Forms
 Oracle Portal
 App Upgrades
 SQL Server
 Oracle Concepts
 Software Support

 Remote S
upport  
 Development  

 Implementation


 Consulting Staff
 Consulting Prices
 Help Wanted!

 


 Oracle Posters
 Oracle Books

 Oracle Scripts
 Ion
 Excel-DB  

Don Burleson Blog 


 

 

 


 

 

 

 

 

Oracle Password Security

Oracle Tips by Burleson Consulting

The default values for Oracle password security is very weak and special measures must be taken to strengthen Oracle password security.  We can use these password security mechanisms with biometric security for Oracle (fingerprint readers) to ensure Oracle password security.

Oracle Security Catalog Script

You can get an idea about scripting Oracle password security profiles by examining Oracle's utlpwdmg.sql script located in $ORACLE_HOME/rdbms/admin/utlpwdmg.sql.

The script notes:

Rem utlpwdmg.sql
 . . .
Rem utlpwdmg.sql - script for Default Password Resource Limits
. . .
-- This script sets the default password resource parameters
-- This script needs to be run to enable the password features.
-- However the default resource parameters can be changed based
-- on the need.
-- A default password complexity function is also provided.
-- This function makes the minimum complexity checks like
-- the minimum length of the password, password not same as the
-- username, etc. The user may enhance this function according to
-- the need.
-- This function must be created in SYS schema.
-- connect sys/ as sysdba before running the script


Oracle password profile security syntax


Oracle password security is implemented via Oracle "profiles" which are assigned to users.  Here is the Oracle security profile syntax:

  
ALTER PROFILE profile_name LIMIT pw_limit(s) range

where:

  pw_limit = PASSWORD_LIFE_TIME
             PASSWORD_GRACE_TIME
             PASSWORD_REUSE_TIME
             PASSWORD_REUSE_MAX
             FAILED_LOGIN_ATTEMPTS
             PASSWORD_LOCK_TIME

   range  =  UNLIMITED | DEFAULT |
expression
 


We start by creating security "profiles" in Oracle and then alter the user to belong to the profile group.  Here is psuedocode for creating a profile:

create profile
   all_users
limit
   PASSWORD_LIFE_TIME 365
   PASSWORD_GRACE_TIME 10
   PASSWORD_REUSE_TIME UNLIMITED
   PASSWORD_REUSE_MAX 0
   FAILED_LOGIN_ATTEMPTS 3
   PASSWORD_LOCK_TIME UNLIMITED;

create user fred identified by flintstone profile all_users;

We see the following "alter profile" parameters, which are invoked as;

alter profile
   finance_user
set
   failed_login_attempts = 4;

Oracle password security profile parameters

Here are the password security parameters:

  • failed_login_attempts - This is the number of failed login attempts before locking the Oracle user account. The default in 11g is 10 failed attempts.
     

  • password_grace_time - This is the grace period after the password_life_time limit is exceeded.
     

  • password_life_time - This is how long an existing password is valid. The default in 11g forces a password change every 180 days.
     

  • password_lock_time This is the number of days  that must pass after an account is locked before it is unlocked.  It specifies how long to lock the account after the failed login attempts is met. The default in 11g is one day.
     

  • password_reuse_max This is the number of times that you may reuse a password and is intended to prevent repeating password cycles (north, south, east, west).
     

  • password_reuse_time This parameter specifies a time limit before a previous password can be re-entered. To allow unlimited use of previously used passwords, set password_reuse_time to UNLIMITED.
     

  • password_verify_function - This allows you to specify the name of a custom password verification function.

Oracle Password Security with Biometrics

When using Oracle Biometrics and facial recognition to enforce the identity of an Oracle user we acknowledge that failed login attempts will be very rare because the user/password combination will be fed by the security software and the end-user will never know the actual value of their username or their Oracle password.  Hence:

  • The Oracle passwords can be very strong (8 characters, with numbers).
     

  • Password changes will be cumbersome because the biometric software must be changed.
     

  • Account lockdown must be harsh because there will never be a username with an invalid password coming from the biometrics (facial recognition, fingerprint reader).

Hence we want user profile that force a very strong password, keep the password for a long time, and complain loudly of there is a username is disabled for failed password attempts:

create profile
   all_biometric_users
limit
   PASSWORD_LIFE_TIME UNLIMITED,
   PASSWORD_GRACE_TIME 0,
   PASSWORD_REUSE_TIME UNLIMITED,
   PASSWORD_REUSE_MAX 0,
   FAILED_LOGIN_ATTEMPTS 3,
   PASSWORD_LOCK_TIME UNLIMITED;

Oracle Password Security References

Other recommended Oracle security links:


 

 

��  
 
 
 
 

 
 
 

 
 
Oracle performance tuning software 
 
oracle dba poster
Oracle Linux poster
 
 

 

Burleson is the American Team

Note: This Oracle documentation was created as a support and Oracle training reference for use by our DBA performance tuning consulting professionals.  Feel free to ask questions on our Oracle forum.

Verify experience! Anyone considering using the services of an Oracle support expert should independently investigate their credentials and experience, and not rely on advertisements and self-proclaimed expertise. All legitimate Oracle experts publish their Oracle qualifications.

Errata?  Oracle technology is changing and we strive to update our BC Oracle support information.  If you find an error or have a suggestion for improving our content, we would appreciate your feedback.  Just  e-mail:  and include the URL for the page.


                    









Burleson Consulting

The Oracle of Database Support

Oracle Performance Tuning

Remote DBA Services


 

Copyright 1996 -  2014

All rights reserved by Burleson

Oracle is the registered trademark of Oracle Corporation.