Oracle Password Management Policy
<pre><font><font face="Courier New, Courier, mono">Purpose:<br>~~~~~~~~<br>To understand Oracle's Password Management Policy features.<br>The available options are:<br><br>1. Account Locking<br>2. Password Aging and Expiration<br>3. Password History,<br>4. Password Complexity Verification.<br><br><br>Scope & Application:<br>~~~~~~~~~~~~~~~~~~~~<br>Oracle DBAs that require added security for password management.<br><br><br>Password Management Policy <br>--------------------------<br>Password Management is setup by DBAs using Oracle Profiles. A Profile is setup <br>with the required password parameters and then assigned to a user. Oracle <br>provides a script $ORACLE_HOME/rdbms/admin/utlpwdmg.sql to setup password <br>management features on the DEFAULT profile. Connect as SYS before running <br>this script. DBAs can use it as a sample to see how the password management <br>features are enabled.<br><br>Tip : Copy the utlpwdmg.sql script and customize it to your own needs<br> using the Oracle developed verify function as a starting template.<br><br>Tip : Create a new profile an experiment with the feature first, for<br> example: create profile custom limit PASSWORD_VERIFY_FUNCTION verify_function;<br> To assign this profile to a user, use the following syntax:<br><br> SQL> alter user scott profile custom;<br><br>There are currently 7 password management parameters that can be specified in a<br>database profile. Each password management feature discussed below includes a <br>reference to the relevant profile parameters.<br><br><br>1. Account Locking - When a user exceeds a designated number of failed login<br> attempts (FAILED_LOGIN_ATTEMPTS), the server automatically locks that user's<br> account for a specified time period (PASSWORD_LOCK_TIME).<br><br>Profile parameters: FAILED_LOGIN_ATTEMPTS<br> PASSWORD_LOCK_TIME<br><br><br>2. Password Aging and Expiration - When the specified amount of time passes<br> (PASSWORD_LIFE_TIME) the password expires, and the user or DBA must change<br> the password. A grace period in days (PASSWORD_GRACE_TIME) can be set <br> allowing the user time to change their password after it has expired.<br> Users enter the grace period upon the first attempt to login to a database<br> account after their password has expired. During the grace period, a warning<br> message appears each time users try to log in to their accounts, and continues <br> to appear until the grace period expires.<br> Users must change the password within the grace period.<br> If the password is not changed within the grace period, the account expires<br> and no further logins to that account are allowed until the password is<br> changed.<br><br> Note that a password cannot and will not be locked as a result of exceeding<br> the life time and subsequent grace time, however the user will not be able to<br> login until the password is changed.<br><br>Profile parameters: PASSWORD_LIFE_TIME<br> PASSWORD_GRACE_TIME<br><br><br>3. Password History - A time interval during which users cannot reuse a password<br> (PASSWORD_REUSE_TIME). This can be specified as either a time interval in days,<br> or a number of password changes the user must make before the current password <br> can be reused (PASSWORD_REUSE_MAX).<br><br>Profile parameters: PASSWORD_REUSE_TIME<br> PASSWORD_REUSE_MAX<br><br><br>4. Password Complexity Verification - DBAs can create their own password<br> verification routines using PL/SQL.<br><br>The SYS owned PL/SQL function must adhere to the following format: <br><br>routine_name( userid_parameter IN VARCHAR2, password_parameter IN VARCHAR2,<br> old_password_parameter IN VARCHAR2) RETURN BOOLEAN<br><br><br>Once complexity checking is enabled, a user can change his/her password <br>in a number of different ways:<br><br>4.1. Use the sqlplus 'password' command, for example:<br><br>SQL> connect scott/tiger<br>Connected.<br>SQL> password<br>Changing password for SCOTT<br>Old password:<br>New password:<br>Retype new password:<br>Password changed<br>SQL><br><br>4.2. Use the ALTER USER statement, for example:<br><br>SQL> ALTER USER &MYUSERNAME IDENTIFIED BY &NEWPASSWORD REPLACE &OLDPASSWORD;<br><br>The ALTER USER syntax using the REPLACE keyword was added as part of the<br>fix to bug 1231172 so this syntax will work in all currently supported<br>releases.<br><br>4.3. Any custom application using the OCIPasswordChange() call, see note 139748.1<br>for an example, this can be used by application developers to develop customer<br>friendly screens, when developing such an application it is important to generate<br>the proper responses to the following exceptions associated with password management<br>feature.<br><br>ORA-28000 "the account is locked"<br>ORA-28001 "the password has expired"<br>ORA-28002 "the password will expire within %s days"<br>ORA-28003 "password verification for the specified password failed"<br>ORA-28007 "the password cannot be reused"<br>ORA-28008 "invalid old password"<br><br>Profile parameters: PASSWORD_VERIFY_FUNCTION <br><br>Tip : To disable the verify function of a given profile, set it to NULL,<br> for example: <br><br> SQL> alter profile default limit password_verify_function null;<br><br><br>Example using all Password Management features previously discussed.<br>--------------------------------------------------------------------<br>-- A default password complexity function is provided.<br>-- This sample function makes no checks and always returns true.<br>-- The logic in the function should be modified as required.<br>-- See $ORACLE_HOME/rdbms/admin/utlpwdmg.sql for an idea of kind<br>-- of logic that can be used.<br>-- This function must be created in SYS schema.<br>-- connect sys/<password> as sysdba before running this.<br><br>CREATE OR REPLACE FUNCTION allways_true (username varchar2,<br> password varchar2, old_password varchar2) RETURN boolean IS<br>BEGIN<br> RETURN(TRUE);<br>END;<br>/<br><br>-- This script alters the default parameters for Password Management.<br>-- This means that all the users on the system have Password Management<br>-- enabled and set to the following values unless another profile is<br>-- created with parameter values set to different value or UNLIMITED<br>-- is created and assigned to the user.<br><br>ALTER PROFILE DEFAULT LIMIT<br>PASSWORD_LIFE_TIME 60 -- (days)<br>PASSWORD_GRACE_TIME 10 --(days)<br>PASSWORD_REUSE_TIME 1800<br>PASSWORD_REUSE_MAX UNLIMITED<br>FAILED_LOGIN_ATTEMPTS 3 --(times)<br>PASSWORD_LOCK_TIME 1/1440 --(days)<br>PASSWORD_VERIFY_FUNCTION allways_true;<br><br><br>Related Documents:<br>~~~~~~~~~~~~~~~~~~<br>Note:124648.1 ORA-28003 ORA-20001 ORA-20002 ORA-20003 ORA-20004 After Running UTLPWDMG.SQL<br>Note:98481.1 How to Keep the Same Password when Expiry Time is Reached and Change is Required<br>Note:162818.1 ORA-28002 On User Connection Immediately After PASSWORD_LIFE_TIME Changed<br>Note:1079860.6ORA-28011 Password Expiry Date is Reached But Reset to NULL<br>Note:139676.1 ORA-28007: the password cannot be reused<br>Note:1083889.6ORA-00931: missing identifier when PASSWORD_VERIFY_FUNCTION = UNLIMITED<br>Note:260111.1 How to interpret the ACCOUNT_STATUS column in DBA_USERS<br>Note:139748.1 Demonstrates the use of the new Oracle OCI8 OCIPasswordChange function <br><br>bug:1231172 ENHANCEMENT: Add "REPLACE oldpassword" clause to ALTER USER command<br><br>Oracle
页:
[1]