Configuring Password Policy Properties

The single instance password-policy configuration element defines the password policy.

1. From superuser mode, use the following command path to access password-policy configuration mode.

   ORACLE# configure terminal
   ORACLE(configure)# security
   ORACLE(security)# password-policy
   ORACLE(password-policy)#

   The password-policy configuration element properties (with the introduction of the Admin Security or Admin Security ACP license) are shown below with their default values.

   min-secure-pwd-length       8 
   expiry-interval             90 
   expiry-notify-period        30 
   grace-period                30 
   grace-logins                3 
   password-history-count      3 
   password-change-interval    24 
   password-policy-strength    disabled 

2. The min-secure-pwd-length command is ignored when the Admin Security ACP license is installed and the password-policy-strength configuration element is set to enabled.
3. Use the expiry-interval command to specify the password lifetime in days. Password lifetime tracking begins when a password is changed.

   Allowable values are integers within the range 1 through 65535, with a default value of 90 (days).

   ORACLE(password-policy)# expiry-interval 60
   ORACLE(password-policy)#

4. Use the password-change-interval command to specify the minimum password lifetime (the minimum time that must elapse between password changes.)

   Allowable values are integers within the range 1 through 24, with a default value of 24 (hours).

   ORACLE(password-policy)# password-change-interval 18
   ORACLE(password-policy)#

5. Use the expiry-notify-period to specify the number of days prior to expiration that users begin to receive password expiration notifications.

   Allowable values are integers within the range 1 through 90, with a default value of 30 (days).

   During the notification period, users are reminded of impending password expiration at both Session Director login and logout.

   ORACLE(password-policy)# expiry-notify-period 10
   ORACLE(password-policy)#

6. Use the grace-period command in conjunction with the grace-logins command, to police user access after password expiration.

   After password expiration, users are granted some number of logins (specified by the grace-logins command) for some number of days (specified by the grace-period command). Once the number of logins has been exceeded, or once the grace period has expired, the user is forced to change his or her password.

   Allowable values for grace-period are integers within the range 1 through 90, with a default value of 30 (days).

   Allowable values for grace-logins are integers within the range 1 through 10, with a default value of 3 (logins).

   ORACLE(password-policy)# grace-period 1
   ORACLE(password-policy)# grace-logins 1
   ORACLE(password-policy)#

7. Use the password-history-count command to specify the number of previously used passwords retained in encrypted format in the password history cache.

   Allowable values are integers within the range 1 through 10, with a default value of 3 (retained passwords).

   By default, a user’s three most recently expired passwords are retained in the password history. As the user’s current password is changed, that password is added to the history, replacing the oldest password entry.

   New, proposed passwords are evaluated against the contents of the password cache, to prevent password re-use, and guard against minimal password changes.

   ORACLE(password-policy)# password-history-count 10
   ORACLE(password-policy)#

8. (Optional) Use the password-policy-strength command to enable the enhanced password strength requirements.

   In the absence of the Admin Security ACP license, this command can be safely ignored.

   password-policy-strength may be enabled when the Admin Security ACP license is enabled. This license includes all the password security features contained in the Admin Security license and also adds password strength requirements beyond those imposed by the Admin Security license. Specific new requirements are as follows:

   • passwords cannot contain two or more characters from the user ID

     For example, given a user ID of administrator, the password thispasswordistragic is not allowed because istra is a substring of administrator

   • passwords cannot contain a sequence of three or more characters from any password contained in the password history cache
   • passwords cannot contain a sequence of two or more characters more than once

     For example, ...w29W29... is legal; ...w29W29&&29... is not.

   • passwords cannot contain either sequential numbers or characters, or repeated characters more than once

     For example, ‘66666’, ‘aaaa’, ‘abcd’, ‘fedc’, ‘1234’, ‘7654'.

     For example, 666, aaa abcd, fedc, 1234, and 7654 all render a password illegal.

   In the absence of the Admin Security ACP license, retain the default value (disabled). With the Admin Security ACP license installed, use enabled to add the new password requirements as listed above; use disabled to retain only the password requirements defined by the Admin Security license.

   ORACLE(password-policy)# password-policy-strength enabled
   ORACLE(password-policy)#

9. Use done, exit and verify-config to complete password policy.