A Password Complexity Policies
A set of default rules should be followed when creating or updating a user password in order to enhance security. Password complexity policies do not apply to the SSL keystore password.
Any user that has the SYSOPER privilege can customize the global password policies and control the password complexity when creating or updating the passwords for users. Oracle NoSQL Database checks if the new passwords are sufficiently complex to prevent attackers to break into the system.
When using the CREATE USER and ALTER USER commands, Oracle NoSQL Database will check if the passwords set comply with the password complexity policies. Otherwise, a message will be shown with all the violating policies. For example:
kv-> exec "create user test identified by \"password\""
Error handling command
exec "create user test identified by \"password\"":
Error: User error in query: CreateUser failed for:
Password must have at least 9 characters You can enable or disable the password complexity policy like this:
kv-> change-policy -params passwordComplexityCheck=true Then, you can change the password complexity policies by using the change-policy command. For example:
kv-> change-policy -params
passwordMinLength=20 passwordMaxLength=50 passwordMinUpper=3
passwordMinLower=3 passwordMinDigit=3 passwordMinSpecial=3 The following password security parameters can be set:
| Parameter Name | Value Range and Type | Description |
|---|---|---|
| passwordAllowedSpecial | Sub set or full set of #$%&'()*+,-./:; <=>?@[]^_`{|} (string)~ | Lists the allowed special characters. |
| passwordComplexityCheck | [true|false] (boolean) | Whether to enable the password complexity checking. The default value is true. |
| passwordMaxLength | 1 - 2048 (integer) | The maximum length of a password. The default value is 256. |
| passwordMinDigit | 0 - 2048 (integer) | The minimum required number of numeric digits. The default value is 2. |
| passwordMinLength | 1 - 2048 (integer) | The Minimum length of a password. The default value is 9. |
| passwordMinLower | 0 - 2048 (integer) | The minimum required number of lower case letters. The default value is 2. |
| passwordMinSpecial | 0 - 2048 (integer) | The minimum required number of special characters. The default value is 2. |
| passwordMinUpper | 0 - 2048 (integer) | The minimum required number of upper case letters. The default value is 2. |
| passwordNotStoreName | [true|false] (boolean) | If true, password should not be the same as current store name, nor is it the store name spelled backwards or with the numbers 1–100 appended. The default value is true. |
| passwordNotUserName | [true|false] (boolean) | If true, password should not be the same as current user name, nor is it the user name spelled backwards or with the numbers 1-100 appended. The default value is true. |
| passwordProhibited | list of strings separated by comma (string) | Simple list of words that are not allowed to be used as a password. The default reserved words are: oracle,password,user,nosql. |
| passwordRemember | 0 - 256 (integer) | The maximum number of passwords to be remembered that are not allowed to be reused when setting a new password. The default value is 3. |
Most of the special characters in the standard US keyboard are allowed to be used in a password with exception of " (double quote) and \ (back slash).
If you want to allow certain special characters use the passwordAllowedSpecial parameter. For example:
kv-> change-policy -params passwordAllowedSpecial="@# $" If you want to enforce the password complexity for existing users, then you need to set the existing user's password to expired, like this:
-
Review the existing users in the system:
kv-> exec "show users" user:id=u1 name=root user:id=u3 name=user1 user:id=u4 name=user2 user:id=u5 name=user3 -
Set the new password complexity policies:
kv-> change-policy -params passwordComplexityCheck=true passwordMinLength=9 passwordMinUpper=2 passwordMinLower=2 passwordMinSpecial=2 passwordMinDigit=2 -
Finally, change the existing user's password life time to be expired:
kv-> exec "alter user user1 password expire" Statement completed successfully kv-> exec "alter user user2 password expire" Statement completed successfully kv-> exec "alter user user3 password expire" Statement completed successfully
In this case, user 1, 2, and 3 will need to re-new their password according to the new policy. For example, when trying to login with user 1, the system will prompt to change the password:
java -Xmx64m -Xms64m \
-jar kvstore.jar runadmin -host localhost \
-port 5000 -security login_file
user1's password:
The password of user1 has expired, it is required to
change the password.
Enter the new password:
Re-enter the new password: If the new password violates any password complexity policies, an exception with a violation message will be thrown. For example:
user1's password:
The password of user1 has expired, it is required to
change the password.
Enter the new password: password
Re-enter the new password: password
Exception in thread "main" oracle.kv.AuthenticationFailureException:
Renew password failed:
Password must have at least 9 characters
Password must contain at least 2 upper case letters
Password must contain at least 2 lower case letters
... Note:
After the password is reset, if you’re using Oracle Wallet for external password storage, you must recreate the wallet files for all your Oracle NoSQL Database user accounts. See Oracle Wallet.