Database Reference
In-Depth Information
A normal root or SYS password does not have to be recycled frequently and is not intrinsically linked to a unique
single individual person. Therefore that password is not the property of a single human; it belongs to the organization.
If the root/SYS password is designed to be time-limited to a day, and knowledge of that password is only for the
single user—and actions carried out by that account during that time are accountable to that user—then the user has
a right to refuse to give that password to another unless their accountability has been formally ended, which may
require written documentation from HR to make that legally binding. Human password management practice has
to be improved before moving to “the Cloud.” If a company's HR system is on a vendor's website, then it is not going
to be good enough for that HR user to have the same password for Yahoo, Gmail, and the salary web page, and also
be checking that single password on another small consultancy website for complexity. We need to train users not
to automatically type their passwords into web pages, especially if their account is privileged. The primary technical
issue with automated administrative password changes is that they are commonly carried out using
ALTER USER
statements over SQLNET in plaintext, partly due to the historical cost of SSL as part of OAS and also due to the extra
development costs for the break-glass server software. There are other ways of protecting the password change over
the wire that are compatible with most automated PAC systems; for instance, the OCI New Password functionality
included in JDBC. The following page shows how to force an encrypted password change from a JDBC client to an
Oracle server using JDBC's OCI New Password facility.
OCI New Password
The following Java code uses the same encryption method as a SQL*PLUS encrypted logon but is triggered from OCI
programmatically. The following code has been free of charge for a while, so you may see this code in your travels.
import java.sql.*;
import java.util.*;
class EncEPV
{
public static void main (String args []) throws SQLException
{
DriverManager.registerDriver(new oracle.jdbc.driver.OracleDriver());
String url = "jdbc:oracle:oci8:@192.168.1.4/orcl";
String usr = "scott";
String pwd = "tiger"; //current password
String newpass="manager";//new password to be sent encrypted.
Properties props = new Properties();
props.put("user",usr);
props.put("password",pwd);
props.put("OCINewPassword",newpass);
Connection conn = null;
conn = DriverManager.getConnection(url, props);
System.out.println("Password Changed");
conn.close();
}
}
/**
The following are useful SQL statements for testing the above code:
alter user scott identified by tiger;
select password from sys.user$ where name='SCOTT';
