What Are the Oracle Database Built-in Password Protections?
Oracle Database provides a set of built-in password protections designed to protect your users’ passwords.
These password protections are as follows:
-
Password encryption. Oracle Database automatically and transparently encrypts passwords during network (client-to-server and server-to-server) connections, using Advanced Encryption Standard (AES) before sending them across the network. However, a password that is specified within a SQL statement (such as
CREATE USER user_name IDENTIFIED BY password;) is still transmitted across the network in clear text in the network trace files. For this reason, you should have native network encryption enabled or configure Transport Layer Security (TLS) encryption. -
Password complexity checking. In a default installation, Oracle Database provides the
ora12c_verify_functionandora12c_strong_verify_functionpassword verification functions to ensure that new or changed passwords are sufficiently complex to prevent intruders who try to break into the system by guessing passwords. You must manually enable password complexity checking. You can further customize the complexity of your users’ passwords. -
Preventing passwords from being broken. If a user tries to log in to Oracle Database multiple times using an incorrect password, Oracle Database delays each login by one second. This protection applies for attempts made from different IP addresses or multiple client connections. This feature significantly decreases the number of passwords that an intruder would be able to try within a fixed time period when attempting to log in. The failed login delay slows down each failed login attempt, increasing the overall time that is required to perform a password-guessing attack, because such attacks usually require a very large number of failed login attempts.
For non-administrative logins, Oracle Database protects against concurrent password guessing attacks by setting an exclusive lock for the failed login delay. This prevents an intruder from attempting to sidestep the failed login delay when the intruder tries the next concurrent guess in a different database session as soon as the first guess fails and is delayed.
By holding an exclusive lock on the account that is being attacked, Oracle Database mitigates concurrent password guessing attacks, but this can simultaneously leave the account vulnerable to denial-of-service (DoS) attacks. To remedy this problem, you should create a password profile where the
FAILED_LOGIN_ATTEMPTSparameter is set toUNLIMITED, and then apply this password profile to the user account. The valueUNLIMITEDfor theFAILED_LOGIN_ATTEMPTSparameter setting disables failed login delays and does not limit the number of failed login attempts. For these types of accounts, Oracle recommends that you use a long random password.The concurrent password-guessing attack protection does not apply to administrative user connections, because these kinds of connections must remain available at all times and be immune to denial-of-service attacks. Hence, Oracle recommends that you choose long passwords for any administrative privileged account.
-
Enforced case sensitivity for passwords. Passwords are case sensitive. For example, the password
hPP5620qrfails if it is entered ashpp5620QRorhPp5620Qr. Case sensitivity affects password files and database links. -
Passwords hashed using the 12C password version. To verify the user’s password and enforce case sensitivity in password creation, Oracle Database uses the
12Cpassword version, which is based on a de-optimized algorithm that involves Password-Based Key Derivation Function (PBKDF2) and the SHA-512 cryptographic hash functions.