Password Protection

No matter your security situation, you have considerable flexibility in setting up passwords for your staff and your customers.

If the data protected by a password is not critical or subject to privacy legislation, the default values in Oracle B2C Service may be acceptable. The most compromising dangers to passwords include:

• Password cracking by brute-force attack or an exhaustive key search.
• Nefarious activities, such as phishing and other social engineering attacks.
• Inadvertent release by users (staff members or customers) who write down their passwords, send them in emails, or expose them to the public in other ways.

The choice of password controls depends on your security situation. For example, if users do not log in often, setting password expiration parameters can result in unnecessary locked accounts and frustrated users. While locking accounts can prevent some brute-force and denial-of-service attacks, it can also increase administrative overhead.

If you require your users to change their passwords regularly, you need to save history data to prevent reuse (at least five previous passwords). It is common for users to make a minor change to their password and eventually cycle back to the original, so it is difficult to assess the value of this strategy.

If you are concerned that passwords could be compromised by poor user-handling (writing passwords down) or by some form of attack, consider requiring regular changes. However, mandating frequent password changes in an environment where they are strong and are not shared does not enhance security and may actually hamper it by creating an environment that causes people to store passwords in electronic or written media.

No matter your security situation, you have considerable flexibility in setting up passwords for your staff and your customers. The topics in this section provide helpful information about your configuration options and identify tips for configuring secure passwords throughout your system.