1. Administrative Security Guide
  2. Access
  3. Password Policy

Password Policy

The Admin Security feature set supports the creation of password policies that enhance the authentication process by imposing requirements for:

  • password length
  • password strength
  • password history and re-use
  • password expiration and grace period

    The Admin Security feature set restricts access to the ACP ports and mandates the following password length/strength requirements.

    • user password must contain at least 9 characters (Admin Security only)
    • admin password must contain at least 15 characters
    • passwords must contain at least 2 lower case alphabetic characters
    • passwords must contain at least 2 upper case alphabetic characters
    • passwords must contain at least 2 numeric characters
    • passwords must contain at least 2 special characters (such as !, ", #, $, %, &, ' , (, ), *, +, , , -, ., /, :, ;, <, =, >, ?, @, [, \, ], ^, _, `, {, |, }, ~)
    • passwords must differ from the prior password by at least 4 characters
    • passwords cannot contain, repeat, or reverse the entire user name
    • passwords cannot contain three consecutive identical characters

The Admin Security ACP add-on feature imposes the same password length/strength requirements as above except for the minimum length requirement, and also provides access to the ACP ports.

When you set the password-policy, password-policy-strength config property to enabled as part of the Admin Security ACP feature, you impose the following requirements in addition to those enforced with the Admin Security feature:
  • passwords cannot contain two or more sequential characters from the user ID. This rule is not case sensitive. For example, if the username is "admin," the password cannot contain "ad" nor "AD."
  • passwords cannot contain a sequence of three or more characters from any password contained in the password history cache
  • passwords cannot contain a sequence of two or more characters more than once
  • passwords cannot contain either sequential numbers or characters

In the absence of the Admin Security ACP feature, you may safely ignore the password-policy-strength config property and retain the default value (disabled). For more information, see Configuring the Admin Security with ACP Password Rules.

Some specific password policy properties, specifically those regarding password lifetime and expiration procedures, are also applicable to SSH public keys used to authenticate client users.

Configuring Password Policy Properties

The single instance password-policy configuration element defines the password policy.

  1. From superuser mode, use the following command path to access password-policy configuration mode. 
    ORACLE# configure terminal
ORACLE(configure)# security
ORACLE(security)# password-policy
ORACLE(password-policy)#

    The password-policy configuration element properties (with the introduction of the Admin Security or JITC feature) are shown below with their default values. 

    min-secure-pwd-length       8 
expiry-interval             90 
expiry-notify-period        30 
grace-period                30 
grace-logins                3 
password-history-count      3 
password-change-interval    24 
password-policy-strength    disabled
  2. The min-secure-pwd-length command is ignored when the Admin Security with ACP feature is installed and the password-policy-strength configuration element is set to enabled.
  3. Use the expiry-interval command to specify the password lifetime in days. Password lifetime tracking begins when a password is changed.
    Allowable values are integers within the range 0 through 65535, with a default value of 90 (days).

    Note:

    The minimum expiry-interval is 0 with a provisioned JITC feature only and remains 1 when only an Admin Security feature is provisioned. 
    ORACLE(password-policy)# expiry-interval 60
ORACLE(password-policy)#
  4. Use the password-change-interval command to specify the minimum password lifetime (the minimum time that must elapse between password changes.)

    Allowable values are integers within the range 1 through 24, with a default value of 24 (hours). 

    ORACLE(password-policy)# password-change-interval 18
ORACLE(password-policy)#
  5. Use the expiry-notify-period to specify the number of days prior to expiration that users begin to receive password expiration notifications.

    Allowable values are integers within the range 1 through 90, with a default value of 30 (days).

    During the notification period, users are reminded of impending password expiration at both Session Director login and logout. 

    ORACLE(password-policy)# expiry-notify-period 10
ORACLE(password-policy)#
  6. Use the grace-period command in conjunction with the grace-logins command, to police user access after password expiration.

    After password expiration, users are granted some number of logins (specified by the grace-logins command) for some number of days (specified by the grace-period command). Once the number of logins has been exceeded, or once the grace period has expired, the user is forced to change his or her password.

    Allowable values for grace-period are integers within the range 1 through 90, with a default value of 30 (days).

    Allowable values for grace-logins are integers within the range 1 through 10, with a default value of 3 (logins). 

    ORACLE(password-policy)# grace-period 1
ORACLE(password-policy)# grace-logins 1
ORACLE(password-policy)#
  7. Use the password-history-count command to specify the number of previously used passwords retained in encrypted format in the password history cache.
    Allowable values are integers within the range 1 through 24, with a default value of 3 (retained passwords).

    Note:

    The maximum password-history-count is 24 with a provisioned JITC feature only and remains 10 when only an Admin Security feature is provisioned.

    By default, a user’s three most recently expired passwords are retained in the password history. As the user’s current password is changed, that password is added to the history, replacing the oldest password entry.

    New, proposed passwords are evaluated against the contents of the password cache, to prevent password re-use, and guard against minimal password changes. 

    ORACLE(password-policy)# password-history-count 10
ORACLE(password-policy)#
  8. (Optional) Use the password-policy-strength command to enable the enhanced password strength requirements.

    In the absence of the Admin Security ACP feature set, this command can be safely ignored.

    password-policy-strength may be enabled when the Admin Security with ACP feature is enabled. This feature includes all of the password security features contained in the Admin Security feature set and also adds password strength requirements beyond those imposed by Admin Security. Specific new requirements are as follows:

    • passwords cannot contain two or more characters from the user ID

      For example, given a user ID of administrator, the password thispasswordistragic is not allowed because istra is a substring of administrator

    • passwords cannot contain a sequence of three or more characters from any password contained in the password history cache
    • passwords cannot contain a sequence of two or more characters more than once

      For example, ...w29W29... is legal; ...w29W29&&29... is not.

    • passwords cannot contain either sequential numbers or characters, or repeated characters more than once

      For example, ‘66666’, ‘aaaa’, ‘abcd’, ‘fedc’, ‘1234’, ‘7654'.

      For example, 666, aaa abcd, fedc, 1234, and 7654 all render a password illegal.

    In the absence of the Admin Security ACP feature, retain the default value (disabled). With the Admin Security with ACP feature installed, use enabled to add the new password requirements as listed above; use disabled to retain only the password requirements defined by Admin Security. 

    ORACLE(password-policy)# password-policy-strength enabled
ORACLE(password-policy)#
  9. Use done, exit and verify-config to complete password policy.

Configuring the Administrative Security with ACP Password Rules

To enforce the stronger password rules and restrictions that the Administrative Security ACP license it provides, you must enable the password-policy-strength parameter.

  • Confirm that the Administrative Security ACP license is installed on the system.
  • You must have Superuser permissions.
From the command line, go to the password-policy configuration element and set the password-policy-strength parameter to enabled.

Note:

The password-policy configuration element displays the min-secure-pwd-len command. You do not need to configure the min-secure-pwd-len command because the Administrative Security ACP license overrides this command with a stronger rule.

You can configure any of the other password policy settings without a system override, according to the ranges specified in this procedure. For more information about the ranges, see "Administrative Security ACP License Configuration."

  1. Access the password-policy configuration element. 
    ORACLE# configure terminal
ORACLE(configure)# security
ORACLE(security)# password-policy
ORACLE(password-policy)#
  2. Type select, and press ENTER.
  3. Type show, and press ENTER.
  4. Configure the following password policy settings, as needed:
    • expiry-interval. 1-65535 days.
    • expiry-notify-period. 1-90 days.
    • grace-period. 1-90 days.
    • grace-logins. 1-10 attempts.
    • password-history-count. 1-10 passwords.
    • password-change-interval. 1-24 hours.
    • password-policy-strength. Type enabled, and press ENTER.
  5. Do the following:
    1. Type done, and press ENTER.
    2. Type exit, and press ENTER.
    3. Type done, and press ENTER.

Changing a Password

As shown in the following figures, the password-policy configuration element provides prior notice of impending password expiration via the login banner display, and with additional notices when ending a login session.

This screenshot of the CLI shows the notice the SBC displays to alert users about an impending password expiration. The SBC provides an additional notice when ending a log session.

Password Expiration Notices at Login and Logout

After password expiration, additional notices are displayed with each grace login. If all notices are ignored, the password-policy enforces a password change when grace logins have been exhausted, or when the grace period has elapsed.

This screenshot of the CLI shows the notice the OCSBC displays to either alert users how many grace logins they have left.

Changing Password Process

To change your password in response to (1) an impending expiration notice displayed within the login banner or at system logout, (2) a grace login notice, or (3) an expiration notice:

  1. If responding to an impending expiration notice, or a grace login notice, type y at the Do you want to change the password ... prompt.
  2. Provide a new, valid password in response to the Enter New Password: prompt.
  3. Re-enter the password in response to the Confirm New Password: prompt.
  4. If performing a login, enter y to acknowledge reading the login banner to complete login with the new password.

    The user account can change the password only in response to one of the three notifications described above.

    Similarly, the admin account can change the password in response to the same notifications. Additionally, these accounts can change passwords using the ACLI as described in the following sections.

Changing the user Password

Change the user password from the # (admin) prompt.

  1. Enter secret login at the prompt and provide the current password when challenged. 
    ORACLE# secret login
Enter current password :
  2. Type the new password in response to the Enter new password : prompt. 
    ORACLE# secret login
Enter current password :
Enter new password :
  3. Confirm the password in response to the Enter password again : prompt. 
    ORACLE# secret login
Enter current password :
Enter new password :
Enter password again :
ORACLE#

Changing the admin Password

Change the admin password from the # (admin) prompt.

  1. Enter secret enable at the prompt and provide the current password when challenged. 
    ORACLE# secret enable
Enter current password :
  2. Type the new password in response to the Enter new password : prompt. 
    ORACLE# secret enable
Enter current password :
Enter new password :
  3. Confirm the password in response to the Enter password again : prompt. 
    ORACLE# secret enable
Enter current password :
Enter new password :
Enter password again :
ORACLE#

Changing a Passcode

A passcode is a secondary credential passed to the authentication process when |two-factor authentication is enabled. Passcodes are subject to length/strength requirements imposed by the password policy, but are not bound by other policy mandates regarding history, re-use, and expiration.

The admin account can change passcodes using the ACLI as described below.

Change the user passcode from the # (admin) prompt.

  1. Enter secret login passcode at the prompt. 
    ORACLE# secret login passcode
Enter Current Passcode :
  2. Type the current passcode in response to the Enter Current Passcode : prompt. 
    ORACLE# secret login passcode
Enter Current Passcode :
Enter New Passcode :
  3. Type the new passcode in response to the Enter New Passcode : prompt. 
    ORACLE# secret login password
Enter Current Passcode :
Enter New Passcode :
Confirm New Passcode :
  4. Confirm the new passcode in response to the Confirm New Passcode : prompt. 
    ORACLE# secret login password
Enter Current Passcode :
Enter New Passcode :
Confirm New Passcode :
% Success
ORACLE#

Changing the admin Passcode

Change the admin passcode from the # (admin) prompt.

  1. Enter secret enable passcode at the prompt.
    ORACLE# secret enable passcode
Enter Current Passcode :
  2. Type the current passcode in response to the Enter Current Passcode : prompt.
    ORACLE# secret enable passcode
Enter Current Passcode :
Enter New Passcode :
  3. Type the new passcode in response to the Enter New Passcode : prompt.
    ORACLE# secret enable password
Enter Current Passcode :
Enter New Passcode :
Confirm New Passcode :
  4. Confirm the new passcode in response to the Confirm New Passcode : prompt.
    ORACLE# secret enable password
Enter Current Passcode :
Enter New Passcode :
Confirm New Passcode :
% Success
ORACLE#

RADIUS and TACACS+ Passwords

With RADIUS or TACACS+ enabled, passwords are stored and controlled on the remote server or servers. Consequently, none of the length/strength, re-use, history, or expiration requirements mandated by the password policy are applicable to these passwords.