Password Management

You can manage passwords to increase the level of security that can be implemented for authentication.

This section provides an overview of password management in TimesTen.

Password Management Features

Password management features can enhance the security of your TimesTen database.

Password Lifetime and Grace Time

You can limit how long a user can continue to use the same password before it expires, as well as a grace period after that period of time. During the grace period, the password is still allowed and recognized, but with a warning.

Limitations on Password Reuse

While limiting password lifetimes enhances system security, allowing users to frequently reuse previous passwords diminishes the effectiveness.

When a user is changing their password, you can specify:

A minimum period of time that must pass before a previous password can be reused.
The number of password changes that must occur before a previous password can be reused.

Both of these must be satisfied before a password can be reused. For example, if PASSWORD_REUSE_TIME is 30 and PASSWORD_REUSE_MAX is 10, the user can reuse a password after 30 days if it is not one of the last 10 passwords used.

If one or the other is set to unlimited, a password can never be reused, but if both are set to unlimited, there are no limits on how often a password can be reused.

Maximum Failed Login Attempts and Password Lock Time

Hackers may try to access TimesTen by repeatedly guessing passwords until one works. You can limit the number of failed attempts that are allowed and how long the account is locked after this maximum number is reached.

Password Complexity Checker

TimesTen offers a set of PL/SQL functions you can choose from to test for sufficient password complexity. This functionality helps ensure that user passwords are stringent enough to impose the desired level of protection for your system.

These functions are provided:

TT_VERIFY_FUNCTION (basic protection)
TT_STRONG_VERIFY_FUNCTION (stronger protection)
TT_STIG_VERIFY_FUNCTION (protection according to the Department of Defense Database Security Technical Implementation Guide)

Checks are run against passwords newly specified through the CREATE USER or ALTER USER statement. If the password does not have sufficient complexity, the statement fails with an error.

You can specify a password complexity verification function when you create or alter a user profile with the CREATE PROFILE or ALTER PROFILE statement. Set the PASSWORD_COMPLEXITY_CHECKER parameter to the desired function, or to NULL for no complexity checking, or to DEFAULT to set complexity checking according to the DEFAULT user profile (NULL by default). Then specify that profile when you create or alter a user through the CREATE USER or ALTER USER statement.

Refer to CREATE PROFILE in Oracle TimesTen In-Memory Database SQL Reference.

Note:

TimesTen does not support user-defined password complexity functions.
The CREATE PROFILE or ALTER PROFILE parameter PASSWORD_VERIFY_FUNCTION is equivalent to PASSWORD_COMPLEXITY_CHECKER.

Profile for Password Management

TimesTen employs profiles to specify settings of the password management parameters.

TimesTen employs profiles for the features described in the preceding section: PASSWORD_LIFE_TIME, PASSWORD_GRACE_TIME, PASSWORD_REUSE_TIME, PASSWORD_REUSE_MAX, FAILED_LOGIN_ATTEMPTS, and PASSWORD_LOCK_TIME.

The same profile can be used for multiple users, and there is a default profile. A user who is not assigned a profile will use the default profile. Also, a setting of DEFAULT for any parameter in a profile will result in use of the value from the default profile.

The CREATE PROFILE SQL statement creates a profile. Specify PROFILE in a CREATE USER statement to assign an existing profile to a user.

See CREATE PROFILE, ALTER PROFILE, CREATE USER, or ALTER USER in Oracle TimesTen In-Memory Database SQL Reference.