Databases Reference
In-Depth Information
Once the password verify function has been created, you can use the
ALTER PROFILE
command to associate the
password verify function with all users to which a given profile is assigned. For instance, in Oracle Database 12c, to set
the password verify function of the
DEFAULT
profile, issue this command:
SQL> alter profile default limit PASSWORD_VERIFY_FUNCTION ora12c_verify_function;
If, for any reason, you need to back out of the new security modifications, run this statement to disable the
password function:
SQL> alter profile default limit PASSWORD_VERIFY_FUNCTION null;
When enabled, the password verification function ensures that users are correctly creating or modifying their
passwords. The
utlpwdmgsql
script creates a function that checks a password to make certain it meets basic security
standards, such as minimum password length and password not the same as username. You can verify that the new
security function is in effect by attempting to change the password of a user to which the
DEFAULT
profile has been
assigned. This example tries to change the password to less than the minimum length:
SQL> password
Changing password for HEERA
Old password:
New password:
Retype new password:
ERROR:
ORA-28003: password verification for the specified password failed
ORA-20001: Password length less than 8
■
For Oracle database 12c and 11g, when using the standard password verify function, the minimum password
length is eight characters. For Oracle database 10g the minimum length is four characters.
Note
Keep in mind that it's possible to modify the code used to create the password verification function. For example,
you can open and modify the script used to create this function:
$ vi $ORACLE_HOME/rdbms/admin/utlpwdmg.sql
If you feel that the Oracle-supplied verification function is too strong, or overly restrictive, you can create your
own function and assign the appropriate database profiles to it.
■
as of Oracle database 12g, the
SEC_CASE_SENSITIVE_LOGON
parameter has been deprecated. setting this
initialization parameter to
FALSE
allows you to make passwords case insensitive.
Note
Limiting Database Resource Usage
As mentioned earlier, the password profile settings take effect as soon as you assign the profile to a user. Unlike
password settings, kernel resource profile restrictions don't take effect until you set the
RESOURCE_LIMIT
initialization
parameter to
TRUE
for your database; for example,
SQL> alter system set resource_limit=true scope=both;
