How to enforce password policy in an Oracle database
- How we enable Unified Auditing in Oracle Database - 7 October 2024
- What is PostgreSQL and how do we do a full installation - September 2, 2024
- How do we configure GoldenGate replication to read from Oracle Data Guard Standby - 2 August 2024
As we know in an Oracle database through the User Profiles we can set restrictions on groups of users as to when and if a code expires (PASSWORD_LIFE_TIME
), how many days it has to change before it stops working (PASSWORD_GRACE_TIME
), after how many days it can be reused (PASSWORD_REUSE_TIME
) and after how many failed attempts it locks (FAILED_LOGIN_ATTEMPTS
). However, by default we cannot set restrictions regarding the size and complexity of the code.
In this article we will see how we install the builtin functions that allow us this feature and what options we have.
With the installation we have the possibility to activate one of the two functions per user profile.
ora12c_verify_function
By activating it ora12c_verify_function
the following rules will be met:
- The code must be at least 8 characters.
- The code must have at least 1 letter.
- The code must have at least 1 number.
- The code must not contain the username
- The code must not contain the username in reverse
- The code must not contain the server name
- Password cannot be common like 'oracle' and 'password1' .
- The code must not differ by at least 3 characters from the previous code.
ora12c_strong_verify_function
By activating it ora12c_strong_verify_function
the following rules will be met:
- The code must be at least 9 characters.
- The code must have at least 2 capital letters.
- The code must have at least 2 lowercase letters.
- The code must have at least 2 numbers.
- The code must have at least 2 special characters.
- The code must not differ by at least 3 characters from the previous code.
The installation
Through the sqlplus tool, execute the following command to install the functions:
sqlplus / as sysdba @$ORACLE_HOME/rdbms/admin/utlpwdmg.sql
But with the installation it will be activated automatically ora12c_verify_function
in the default profile, to disable it, run the following:
alter profile default limit password_verify_function null; alter profile default limit password_grace_time unlimited; alter profile default limit PASSWORD_LIFE_TIME unlimited; alter profile default limit PASSWORD_LOCK_TIME unlimited;
However, if some codes did not meet the criteria, e.g. if the code has passed 180 days, it will return to status EXPIRED(GRACE)
as the script automatically changed the PASSWORD_LIFE_TIME parameter to 180.
In this case we can generate the commands to re-pass the same codes to those users who belonged to the profile DEFAULT
and have returned to status EXPIRED(GRACE)
with the following script:
select 'ALTER USER ' ||USERNAME|| ' IDENTIFIED BY VALUES ''' ||spare4|| ''';' from dba_users du inner join sys.user$ su on du.username=su.name where 1=1 and profile='DEFAULT' and account_status='EXPIRED(GRACE)';
If during the user's connection an incompatibility issue appears with the password file, then we recreate it through the command line by setting the user's password sys
and format=12
:
orapwd file=$ORACLE_HOME/dbs/orapwdbname force=y password=passw0rd format=12
To enable it ora12c_verify_function
in a user profile we run the following command:
alter profile profile_name limit password_verify_function ora12c_verify_function;
To enable it ora12c_strong_verify_function
in a user profile we run the following command:
alter profile profile_name limit password_verify_function ora12c_strong_verify_function;
To see all the policies in a user profile, run the following query:
select * from dba_profile where PROFILE='DEFAULT';
As we see in this case it has been activated as PASSWORD_VERIFY_FUNCTION
the function ora12c_verify_function
.
Sources: