RE: Enforcing password rules in oracle database

From: John Hallas <John.Hallas_at_morrisonsplc.co.uk>
Date: Fri, 18 Mar 2011 09:16:15 +0000
Message-ID: <EC65ECF8123FEE4D8FC5B212637C3040BC0F8465A1_at_EXCH1.morrisonsplc.co.uk>

The creation of external users would be managed by the DBA who is yourself presumably. If that is your policy then do not create externally identified users. The sample verify function provided by oracle is a good starting point but there are others available on the net which you can customise to your specific requirements.

Step 4 is done by the use of audit, all the profile can do is restrict access after x number of failed attempts

www.jhdba.wordpress.com

From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Mahesh G Sent: 18 March 2011 08:31
To: oracle-l_at_freelists.org
Subject: Enforcing password rules in oracle database

Hi all,

We have one requirement to enforce below mentioned password rules for all newly created user accounts in our environment.

All passwords must have at least 7 characters in length
All Logins will require the use of a password
Passwords must not match the username
Unsuccessful login attempts must be audited
Password duration <= 90 days
Failed logins limit = 6

Oracle built-in feature, setting Default profile and calling verify_function function ($ORACLE_HOME/rdbms/admin/utlpwdmg.sql ) doesnt serve my purpose. Because 2 rule will be violated for those users who use external password option. My env is combination of 9i, 10g & 11g version databases.

Can you recommend / suggest any best way to implement the above rules ? It would be great help.

Regards,
- Mahesh

Wm Morrison Supermarkets Plc is registered in England with number 358949. The registered office of the company is situated at Gain Lane, Bradford, West Yorkshire BD3 7DL. This email and any attachments are intended for the addressee(s) only and may be confidential.

If you are not the intended recipient, please inform the sender by replying to the email that you have received in error and then destroy the email. If you are not the intended recipient, you must not use, disclose, copy or rely on the email or its attachments in any way.

This email does not constitute a contract in writing for the purposes of the Law of Property (Miscellaneous Provisions) Act 1989.

Our Standard Terms and Conditions of Purchase, as may be amended from time to time, apply to any contract that we enter into. The current version of our Standard Terms and Conditions of Purchase is available at: http://www.morrisons.co.uk/gscop

Although we have taken steps to ensure the email and its attachments are virus-free, we cannot guarantee this or accept any responsibility, and it is the responsibility of recipients to carry out their own virus checks.

--
http://www.freelists.org/webpage/oracle-l

Received on Fri Mar 18 2011 - 04:16:15 CDT

This message: [ Message body ]
Next message: Sriram Kumar: "Re: DBMS_APPLICATION_INFO and Business Objects Data Integrator"
Previous message: Harel Safra: "Re: reproducing errors in phy env"
In reply to: Mahesh G: "Enforcing password rules in oracle database"
Next in thread: Dunbar, Norman (Capgemini): "RE: Enforcing password rules in oracle database"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message