Setting Password Requirements for User Accounts

Oracle Database software includes profiles through which you can enforce password requirements, including the DEFAULT profile that applies to all users by default.

Note:

Passwords can contain only these special characters: ~ # ^ - _ + :

Passwords cannot contain these special characters: & ( ) ' % @ { } | ; , $ . * " < > ? ` ! [ / \ ] =

For more information, see:

• Default Behavior
  
• Creating a Profile
  
• Assigning a Profile to Users
  
• Getting More Information
  

Default Behavior

The DEFAULT profile, which applies to all users by default in an Oracle Database installation, includes the following password-related requirements in Release 11gR2:

• Password life time = 180 days

• Password grace time = 7 days

• Password reuse time and password reuse max = Unlimited

• Failed login attempts = 10

  Note:

  In RDC, the default Failed Login Attempts setting of 10 in fact only allows for 5 failed login attempts before locking the account due to an incorrect password. This is because RDC uses proxy connections and tries to connect twice for each login attempt.

  In Oracle Clinical, this is not the case; a setting of 10 gives users 10 attempts.

• Password lock time = 1 day

If these settings are acceptable, you can do nothing and they will apply to all accounts. However, be sure to update internal account passwords; see Synchronizing Passwords in the WebLogic Admin Server.

Creating a Profile

To change the default settings, you can create a new profile for this purpose and assign it to all users. Use the CREATE PROFILE command to define a profile to specify your password policy.

Example 1-1 shows the SQL statements that create the OCL_USER_PROF profile and define the following password policies:

• Password life time — Sets the number of days the same password can be used for authentication to 60 days.

• Password grace time — Sets the time between expiration and lockout to 10 days.

• Password reuse time and password reuse max — Indicates that the user can never reuse a password.

• Failed login attempts

  Note:

  Set the number of failed login attempts to two times the number of failed attempts that you really want to allow. This is because Oracle Clinical uses proxy connections and tries the internal connection two times for each user attempt before locking the account due to an incorrect password.

  So in this example, FAILED_LOGIN_ATTEMPTS is set to 6, but this effectively results in 3 failed user attempts resulting in locking the account.

• Password lock time — Locks the account for 2 days if there are 3 failed login attempts.

• Allowed characters — Oracle Clinical and RDC do not support the use of special characters in passwords, which may cause errors. Use password profiles to prevent the use of special characters. Also see Changing Passwords.

For additional information, see the Oracle Database 2 Day + Security Guide 11g Release 2 (11.2) at http://docs.oracle.com/cd/B19306_01/network.102/b14266/policies.htm#i1006575

Example 1-1 Creating a Profile for Password Management

CREATE PROFILE OCL_USER_PROF LIMIT
PASSWORD_LIFE_TIME 60
PASSWORD_GRACE_TIME 10
PASSWORD_REUSE_TIME 1200
PASSWORD_REUSE_MAX UNLIMITED
FAILED_LOGIN_ATTEMPTS 6
PASSWORD_LOCK_TIME 2

Assigning a Profile to Users

Assign the profile to users:

• For new users, you can add a line in the ocl_add_user.sql to assign the password enforcing profile as you create each user account.

• For existing PSUB users, you can add the same line to oclupg50migrateusers.sql to give all of them the profile at the same time that you migrate their account to the new PSUB requirements.

• For other existing PSUB users, assign the profile individually or work with Oracle Support to develop a script to migrate them to the new profile.

The SQL statement required to assign a profile to a user is:

alter user user_name profile profile_name;

Example 1-2 Assigning a Role to Users

alter user jjsmith profile ocl_user_prof;

Getting More Information

For more information about how to use password management and protection, see the Oracle® Database Security Guide 11g Release 2 (11.2).