Adding some random characters to Oracle password

I am working on Sarbarbes Oxley compliance for Oracle databases version 8.1.6.2 on HP UNIX 11. We have a third party application which requires a login for each user in the database. Application security is controlled through the application, so users can do only certain things from the application user interface.

Application is a Web based Oracle Forms 6i application which runs on a Windows Server, it then connects to database on HP UNIX.

However, the problem is that if users can connect to database directly using sqlplus, there is no security built in the database to control what a user can do, they can delete all the data if they want. Since, it is a third party application, I cannot change their code.

1. Since the database connection is made from windows Server to UNIX server and no end user has login on Windows Sever or NIX server, I was thinking of creating a logon trigger for every end user account and verifying that connection is made only from Forms server. This way, they cannot make direct connection from their PC. Does anyone see a problem with it?
2. My auditors told me Oracle has some tool where some random characters are added to password, so user will not know these characters (so they cannot make direct connection?)/ I have not heard of anything like that until now. Does anyone have more information on it? Auditors said instead d of creating logon triggers, I can probably use this tool.

Thanks a lot?

Prem Received on Tue Oct 26 2004 - 15:53:43 CDT