Call now: 252-767-6166  
Oracle Training Oracle Support Development Oracle Apps

Free Oracle Tips

HTML Text

 Home
 E-mail Us
 Oracle Articles


 Oracle Training
 Oracle Tips
 Oracle Forum
 Class Catalog


 Remote DBA
 Oracle Tuning
 Emergency 911
 RAC Support
 Apps Support
 Analysis
 Design
 Implementation
 Oracle Support


 SQL Tuning
 Security
 Oracle UNIX
 Oracle Linux
 Monitoring
 Remote support
 Remote plans
 Remote services
 Application Server
 Applications
 Oracle Forms
 Oracle Portal
 App Upgrades
 SQL Server
 Oracle Concepts
 Software Support
 Remote Support  
 Development  
 Implementation


 Consulting Staff
 Consulting Prices
 Help Wanted!

 


  Oracle Posters
 Oracle Books
  Oracle Scripts
 Ion
 Excel-DB   


 

 

 


 

 
 
 

Oracle password tips

Oracle Tips by Burleson Consulting
June 1, 2008

Oracle password security is an integral part of any system.  Password security secures who can access and maintain a database.  Oracle docs offer some small security measures you can take in order to help ensure a protected and secure database password.  The main tip in security, is not only keeping your password confidential, but also making sure your password is constantly being changed. 

The Oracle docs  also suggest configuring encrypted passwords for connection of both the client/server and sever/server.  If you do not do this, your password can be impersonated.

The default values for Oracle password security is very weak and special measures must be taken to strengthen Oracle password security.  We can use these password security mechanisms with biometric security for Oracle (fingerprint readers) to ensure Oracle password security.  Oracle password security is implemented via Oracle "profiles" which are assigned to users.  Here is the Oracle security profile syntax:

   ALTER PROFILE profile_name LIMIT pw_limit(s) range

where:

  pw_limit = PASSWORD_LIFE_TIME
             PASSWORD_GRACE_TIME
             PASSWORD_REUSE_TIME
             PASSWORD_REUSE_MAX
             FAILED_LOGIN_ATTEMPTS
             PASSWORD_LOCK_TIME

   range  =  UNLIMITED | DEFAULT | expression

Oracle password details

Steve Callan has these notes on the Oracle password complexity:

The utlpwdmg.sql script found in the rdbms/admin directory provides a good starting point to enforce password complexity. You can also modify the code found in the Database Administrator's Guide. The SQL script provides the following functions or checks:

The password has a minimum length of four.
The password is not the same as the username.
The password has at least one alpha, one numeric, and one punctuation mark character.
The password is not a simple or obvious word, such as welcome, account, database, or user.
The password differs from the previous password by at least 3 characters.
Several of these pre-defined checks are easily modified. For example, the minimum length can be increased to six by simply changing 4 to 6 in the code extract shown below.

-- Check for the minimum length of the password
IF length(password) < 4 THEN

You can increase the number of simple or obvious words to check by adding more words to the list ("guest" is missing; that would be my first addition to the list). Likewise, you can require more numeric values and more of a difference via very simple modifications to the script. So, the answer to "can you enforce password complexity" is a resounding yes. Keep in mind that what is complex enough for you may be overwhelming for most of your users. Remember, sometimes "good enough" is good enough, so keep the password scheme simple enough to be, well, good enough.

See my related notes on Oracle passwords:

 

 

 
  
 

 
 
 
 
Oracle performance tuning software
 
 

 

 
 
 
Oracle performance Tuning 10g reference poster
 
 
 
Oracle training in Linux commands
 
Oracle training Excel
 
Oracle training & performance tuning books
 

 

Burleson is the American Team

Note: This Oracle documentation was created as a support and Oracle training reference for use by our DBA performance tuning consulting professionals.  Feel free to ask questions on our Oracle forum.

Verify experience! Anyone considering using the services of an Oracle support expert should independently investigate their credentials and experience, and not rely on advertisements and self-proclaimed expertise. All legitimate Oracle experts publish their Oracle qualifications.

Errata?  Oracle technology is changing and we strive to update our BC Oracle support information.  If you find an error or have a suggestion for improving our content, we would appreciate your feedback.  Just  e-mail:  and include the URL for the page.


                    









Burleson Consulting

The Oracle of Database Support

Oracle Performance Tuning

Remote DBA Services


 

Copyright © 1996 -  2012 

All rights reserved.

Oracle © is the registered trademark of Oracle Corporation.