password management for oracle8
DESCRIPTION
Password Management for Oracle8. Ari Kaplan Independent Consultant. Oracle8, Oracle7, and UNIX Password Capabilities. Password Functionality. Account Locking Password Complexity Verifications Password History Password Lifetime and Expiration. Creating Users. - PowerPoint PPT PresentationTRANSCRIPT
Password Password Management forManagement for
Oracle8Oracle8Ari KaplanAri Kaplan
Independent ConsultantIndependent Consultant
Introduction
Learn the new passwordfunctionality of Oracle8 See the syntax of therelated commands Get the theory behindhow Oracle uses passwords
Oracle8, Oracle7, and Oracle8, Oracle7, and UNIX Password UNIX Password
CapabilitiesCapabilities
Functionality Oracle8 Oracle7 UNIX (fromyears ago)
No connection after 3consecutive attempts
Password restrictions Locking out users Manual or
AutomaticManualonly
Manual orAutomatic
Password FunctionalityPassword Functionality
Account LockingAccount Locking
Password Complexity VerificationsPassword Complexity Verifications
Password HistoryPassword History
Password Lifetime and ExpirationPassword Lifetime and Expiration
Creating UsersCreating UsersThe CREATE USER command sets the The CREATE USER command sets the
initial password for a user account:initial password for a user account:
CREATE USER IOUG_PERSON CREATE USER IOUG_PERSON IDENTIFIED BY applaud_now;IDENTIFIED BY applaud_now;
Describing User AttributesDescribing User AttributesSELECT SELECT ** FROM FROM ALL_USERS;ALL_USERS;
For existing accounts, you can view some attributes of that user, by entering:
The SQL shows:UsernameUser_IDPasswordDefault TablespaceDate/Time that the user was createdDefault Profile
Table and System Table and System PrivilegesPrivileges
The GRANT command gives privileges directly to user accounts and indirectly via roles
The REVOKE command removes privileges from user accounts or roles
Table Privileges: SELECT/INSERT/UPDATE/DELETE/ALTER
System Privileges: CREATE PUBLIC SYNONYM, UNLIMITED TABLESPACE, DROP ANY TABLE, etc.
Maintaining Restrictions Maintaining Restrictions via Profilesvia Profiles
Restrictions on system and object resources are maintained via profiles
Some of them include: SESSION_PER_USER, CPU_PER_SESSION, CPU_PER_CALL, CONNECT_TIME, IDLE_TIME, LOGICAL_READS_PER_SESSION, LOGICAL_READS_PER_CALL, COMPOSITE_LIMIT, IDLE_TIME, and PRIVATE_SGA.
To restrict user accounts to 15 minutes per connection, you would create a profile with the CONNECT_TIME set, then assign the user to the new profile.
Creating ProfilesCreating ProfilesWhen a user account is created, they are assigned to the When a user account is created, they are assigned to the
DEFAULTDEFAULT profile (unless otherwise specified). To create a profile (unless otherwise specified). To create a new profile, use the new profile, use the CREATE PROFILECREATE PROFILE command and list all command and list all restrictions along with their values.restrictions along with their values.
CREATE PROFILE profile_name LIMIT SESSIONS_PER_USER 4;
Assign a Profile to a UserAssign a Profile to a User Once a profile has been created, you Once a profile has been created, you
can associate users to the profilecan associate users to the profile
It is through this method that different password options can be set for user accounts.
ALTER USER username PROFILE profile_name;
Password-Related Options Password-Related Options that can be Defined for that can be Defined for
ProfilesProfiles FAILED_LOGIN_ATTEMPTSFAILED_LOGIN_ATTEMPTS
PASSWORD_GRACE_TIMEPASSWORD_GRACE_TIME
PASSWORD_LIFE_TIMEPASSWORD_LIFE_TIME
PASSWORD_LOCK_TIMEPASSWORD_LOCK_TIME
PASSWORD_REUSE_MAXPASSWORD_REUSE_MAX
PASSWORD_REUSE_TIMEPASSWORD_REUSE_TIME
PASSWORD_VERIFY_FUNCTIONPASSWORD_VERIFY_FUNCTION
Default Profile Password Default Profile Password Parameter ValuesParameter Values
PPaarraammeetteerr DDeeffaauulltt VVaalluuee
FFAAIILLEEDD__LLOOGGIINN__AATTTTEEMMPPTTSS 33
PPAASSSSWWOORRDD__GGRRAACCEE__TTIIMMEE 1100
PPAASSSSWWOORRDD__LLIIFFEE__TTIIMMEE 6600
PPAASSSSWWOORRDD__LLOOCCKK__TTIIMMEE 11// 11444400 ((11mmiinnuuttee))
PPAASSSSWWOORRDD__RREEUUSSEE__MMAAXX UUNNLLIIMMIITTEEDD
PPAASSSSWWOORRDD__RREEUUSSEE__TTIIMMEE 11880000
PPAASSSSWWOORRDD__VVEERRIIFFYY__FFUUNNCCTTIIOONN
vveerriiffyy__ ffuunnccttiioonn
Creating a Sample Creating a Sample Password-Related ProfilePassword-Related Profile
If you want to assign non-default password management options to user accounts, If you want to assign non-default password management options to user accounts, you can create a new profile. The following SQL statement below will lock a user you can create a new profile. The following SQL statement below will lock a user account out of the database for one hour after failing to successfully login three account out of the database for one hour after failing to successfully login three times. Also, the password will automatically expire every thirty days.times. Also, the password will automatically expire every thirty days.
CREATE PROFILE NORMAL_USERS CREATE PROFILE NORMAL_USERS LIMITLIMIT
PASSWORD_LIFE_TIME 30PASSWORD_LIFE_TIME 30FAILED_LOGIN_ATTEMPTS 3FAILED_LOGIN_ATTEMPTS 3PASSWORD_LOCK_TIME 1/24;
Password Management Password Management Options for a ProfileOptions for a Profile
The following SQL statement will prompt you for a profile. The result The following SQL statement will prompt you for a profile. The result
will be a listing of all defined password management options, will be a listing of all defined password management options,
along with their values.along with their values.
COLUMNCOLUMN PROFILE FORMAT A15 PROFILE FORMAT A15COLUMNCOLUMN RESOURCE_NAME FORMAT A25 RESOURCE_NAME FORMAT A25COLUMNCOLUMN RESOURCE_TYPE FORMAT A15 RESOURCE_TYPE FORMAT A15COLUMNCOLUMN LIMIT FORMAT A15 LIMIT FORMAT A15SELECTSELECT PROFILE, RESOURCE_NAME, PROFILE, RESOURCE_NAME,
RESOURCE_TYPE, LIMITRESOURCE_TYPE, LIMITFROMFROM DBA_PROFILES DBA_PROFILESWHEREWHERE PROFILE= ‘&profile_name’ AND PROFILE= ‘&profile_name’ AND
RESOURCE_TYPE LIKE ‘%PASSWORD%’;RESOURCE_TYPE LIKE ‘%PASSWORD%’;
Password Management Password Management Options for a ProfileOptions for a Profile
Here is a sample output from the previous SQL:Here is a sample output from the previous SQL:
Enter value for profile_name:Enter value for profile_name: NORMAL_USERSNORMAL_USERSold 4: WHERE PROFILE = ‘&profile_name’ ANDold 4: WHERE PROFILE = ‘&profile_name’ ANDnew 4: WHERE PROFILE = ‘NORMAL_USERS’ ANDnew 4: WHERE PROFILE = ‘NORMAL_USERS’ AND
PROFILEPROFILE RESOURCE_NAME RESOURCE_NAME RESOURCE_TYPE RESOURCE_TYPE LIMITLIMITNORMAL_USERSNORMAL_USERS FAILED_LOGIN_ATTEMPTSFAILED_LOGIN_ATTEMPTS PASSWORDPASSWORD 3 3NORMAL_USERSNORMAL_USERS PASSWORD_LIFE_TIMEPASSWORD_LIFE_TIME PASSWORDPASSWORD 30 30NORMAL_USERSNORMAL_USERS PASSWORD_REUSE_TIMEPASSWORD_REUSE_TIME PASSWORDPASSWORD DEFAULT DEFAULTNORMAL_USERSNORMAL_USERS PASSWORD_VERIFY_FUNCTIONPASSWORD_VERIFY_FUNCTION PASSWORDPASSWORD DEFAULT DEFAULTNORMAL_USERSNORMAL_USERS PASSWORD_LOCK_TIMEPASSWORD_LOCK_TIME PASSWORDPASSWORD .0416 .0416NORMAL_USERSNORMAL_USERS PASSWORD_GRACE_TIMEPASSWORD_GRACE_TIME PASSWORDPASSWORD DEFAULT DEFAULT
The Default The Default verify_functionverify_function Provided Provided
by Oracleby OracleThis function must be created in SYS schema, and you must connect This function must be created in SYS schema, and you must connect
sys/<password> as sysdba before running the script. This snippet contains the sys/<password> as sysdba before running the script. This snippet contains the start of the function and checks if the password is the same as the username.start of the function and checks if the password is the same as the username.The verify_function is shown in five parts: The verify_function is shown in five parts:
1. The beginning of the verify_function, check if the 1. The beginning of the verify_function, check if the password is thepassword is the same as the username same as the username2. Check to make sure that the password has at least 4 2. Check to make sure that the password has at least 4 characterscharacters3. Check to make sure that the password is not “too 3. Check to make sure that the password is not “too simple” bysimple” by comparing against 8 simple words comparing against 8 simple words4. Check to make sure that the password contains at least 4. Check to make sure that the password contains at least oneone letter, one digit, and one punctuation mark letter, one digit, and one punctuation mark5. Check if the password differs from the previous password 5. Check if the password differs from the previous password by atby at least 3 letters least 3 letters
The Default The Default verify_functionverify_function Provided by Oracle -Part 1Provided by Oracle -Part 1
CREATE OR REPLACE FUNCTION CREATE OR REPLACE FUNCTION verify_functionverify_function
(( usernameusername varchar2, varchar2,passwordpassword varchar2, varchar2,old_passwordold_password varchar2) varchar2)
RETURN RETURN booleanboolean IS IS n boolean; m integer; differ integer; isdigit boolean; ischar boolean; ispunct n boolean; m integer; differ integer; isdigit boolean; ischar boolean; ispunct
boolean; boolean; digitarray varchar2(20); punctarray varchar2(25); chararray varchar2(52); digitarray varchar2(20); punctarray varchar2(25); chararray varchar2(52); BEGIN BEGIN digitarray:= '0123456789'; digitarray:= '0123456789'; chararray:= 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'; chararray:= 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'; punctarray:='!"#$%&()``*+,-/:;<=>?_'; punctarray:='!"#$%&()``*+,-/:;<=>?_'; --Check if the password is same as the username --Check if the password is same as the username IF password = username THEN IF password = username THEN raise_application_error(-20001, 'Password same as user'); raise_application_error(-20001, 'Password same as user'); END IF; END IF;
The Default The Default verify_functionverify_function Provided Provided
by Oracle -Part 2by Oracle -Part 2This snippet checks to make sure that the This snippet checks to make sure that the
password has at least 4 characters:password has at least 4 characters:
--Check for the minimum length of --Check for the minimum length of the passwordthe password
IF length(password) < 4 THEN IF length(password) < 4 THEN raise_application_error(-20002, raise_application_error(-20002,
'Password length less than 4'); 'Password length less than 4'); END IF;
The Default The Default verify_functionverify_function Provided Provided
by Oracle -Part 3by Oracle -Part 3--Check if the password is too simple. A --Check if the password is too simple. A
dictionary of words may be dictionary of words may be --maintained and a check may be made so as --maintained and a check may be made so as
not to allow the words not to allow the words --that are too simple for the password.--that are too simple for the password.IF NLS_LOWER(password) IN ('IF NLS_LOWER(password) IN ('welcomewelcome', ',
''databasedatabase', '', 'accountaccount', '', 'useruser', ', ''passwordpassword', '', 'oracleoracle', '', 'computercomputer', '', 'abcdabcd') THEN ') THEN
raise_application_error(-20002, 'Password too raise_application_error(-20002, 'Password too simple'); simple');
END IF;
The Default The Default verify_functionverify_function Provided by Oracle -Part 4Provided by Oracle -Part 4
--Check if the password contains at least one --Check if the password contains at least one letter, one digit and one punctuation mark. letter, one digit and one punctuation mark.
--1. Check for the digit. You may delete 1. and --1. Check for the digit. You may delete 1. and replace with 2. or 3.replace with 2. or 3.
isdigit:=FALSE; m := length(password); isdigit:=FALSE; m := length(password); FOR i IN 1..10 LOOP FOR i IN 1..10 LOOP FOR j IN 1..m LOOP FOR j IN 1..m LOOP IF substr(password,j,1) = substr(digitarray,i,1) THEN IF substr(password,j,1) = substr(digitarray,i,1) THEN isdigit:=TRUE; isdigit:=TRUE; GOTO findchar; GOTO findchar; END IF; END IF; END LOOP; END LOOP; END LOOP; END LOOP; IF isdigit = FALSE THEN IF isdigit = FALSE THEN raise_application_error(-20003, 'Password should raise_application_error(-20003, 'Password should
contain at least one contain at least one digit, one character and one punctuation'); digit, one character and one punctuation'); END IF; END IF; --2. Check for the character --2. Check for the character <<findchar>> <<findchar>> ischar:=FALSE; ischar:=FALSE; FOR i IN 1..length(chararray) LOOPFOR i IN 1..length(chararray) LOOP
FOR j IN 1..m LOOP
IF substr(password,j,1) = substr(chararray,i,1) THEN
ischar:=TRUE;
GOTO findpunct;
END IF;
END LOOP;
END LOOP;
IF ischar = FALSE THEN
raise_application_error(-20003, 'Password should contain at least one
digit, one character and one punctuation');
END IF;
--3. Check for the punctuation
<<findpunct>>
ispunct:=FALSE;
FOR i IN 1..length(punctarray) LOOP
FOR j IN 1..m LOOP
IF substr(password,j,1) = substr(punctarray,i,1) THEN
ispunct:=TRUE;
GOTO endsearch;
END IF;
END LOOP;
END LOOP;
IF ispunct = FALSE THEN raise_application_error(-20003, 'Password
should contain at least one \ digit, one character and one punctuation');
END IF;
<<endsearch>>
The Default The Default verify_functionverify_function Provided Provided
by Oracle -Part 5by Oracle -Part 5 --Check if the password differs
from the previous password by at least
--3 letters IF old_password = '' THEN raise_application_error(-20004, 'Old password is
null'); END IF; --Everything is fine; return TRUE ; differ := length(old_password) - length(password); IF abs(differ) < 3 THEN IF length(password) < length(old_password)
THEN m := length(password); ELSE m:= length(old_password); END IF; differ := abs(differ);
FOR i IN 1..m LOOP IF substr(password,i,1) != substr(old_password,i,1) THEN differ := differ + 1; END IF; END LOOP; IF differ < 3 THEN raise_application_error(-20004, 'Password should differ by at \ least 3 characters'); END IF; END IF; --Everything is fine; return TRUE ; RETURN(TRUE); END;
Creating your own Creating your own verify_functionverify_function
You can create your own verify function. It may be called You can create your own verify function. It may be called
anything you like (within reason – no reserved words, etc.).anything you like (within reason – no reserved words, etc.).
The only requirements are that it be owned by the SYS user The only requirements are that it be owned by the SYS user
account, and that it sticks to the following format:account, and that it sticks to the following format:
function_name ( userid_parameter IN VARCHAR(30),
password_parameter IN VARCHAR(30),old_password_parameter IN
VARCHAR(30))RETURN BOOLEAN
Assigning the Assigning the verify_functionverify_function to a Profile to a Profile
Once the function is defined, it must be assigned
to one or more profiles in order to be used.
ALTER PROFILE profile_name LIMIT PASSWORD_VERIFY_FUNCTION function_name;
Expiring/Unlocking Expiring/Unlocking PasswordsPasswords
Manually unlock a userManually unlock a user: : The account may be unlocked The account may be unlocked by only two methods:by only two methods:
1) The user waits for the specified PASSWORD_LOCK_TIME period.1) The user waits for the specified PASSWORD_LOCK_TIME period.2) The security administrator will have to manually unlock the account:2) The security administrator will have to manually unlock the account:
ALTER USER username PASSWORD EXPIRE;ALTER USER username PASSWORD EXPIRE;
ExpiringExpiring:: This SQL will force users to change their This SQL will force users to change their password the next time that they log in:password the next time that they log in:
ALTER USER username ACCOUNT UNLOCK;ALTER USER username ACCOUNT UNLOCK;
Determining the Password Status Determining the Password Status of a Particular User Accountof a Particular User Account
COLUMN COLUMN USERNAME FORMAT A14USERNAME FORMAT A14COLUMNCOLUMN ACCOUNT_STATUS FORMAT A14 ACCOUNT_STATUS FORMAT A14COLUMNCOLUMN LOCK_DATE FORMAT A14 LOCK_DATE FORMAT A14COLUMNCOLUMN EXPIRY_DATE FORMAT A16 EXPIRY_DATE FORMAT A16COLUMNCOLUMN PROFILE FORMAT A15 PROFILE FORMAT A15SELECTSELECT USERNAME, ACCOUNT_STATUS, USERNAME, ACCOUNT_STATUS,
TO_CHAR(LOCK_DATE,’DD-MON-YY’) LOCK_DATE,TO_CHAR(LOCK_DATE,’DD-MON-YY’) LOCK_DATE,TO_CHAR(EXPIRY_DATE,’DD-MON-YY’) TO_CHAR(EXPIRY_DATE,’DD-MON-YY’)
EXPIRY_DATE,EXPIRY_DATE,PROFILEPROFILE
FROMFROM DBA_USERS DBA_USERSWHEREWHERE USERNAME = ‘&username’; USERNAME = ‘&username’;
The following SQL will prompt you for a user account name, The following SQL will prompt you for a user account name, and then show account status (if the account has expired), and then show account status (if the account has expired), the date that the account was locked out of the database (if the date that the account was locked out of the database (if any), the date that the password will expire on (if any), and any), the date that the password will expire on (if any), and the profile that the user account has been assigned to. the profile that the user account has been assigned to.
Determining the Password Determining the Password Status of a Particular User Status of a Particular User
AccountAccount
A sample output from the above SQL follows:A sample output from the above SQL follows:
Enter value for usernameEnter value for username: : IOUG_PERSONIOUG_PERSONold 6: WHERE USERNAME = ‘&username’old 6: WHERE USERNAME = ‘&username’new 6: WHERE USERNAME = ‘IOUG_PERSON’new 6: WHERE USERNAME = ‘IOUG_PERSON’
USERNAMEUSERNAME ACCOUNT_STATUSACCOUNT_STATUS LOCK_DATELOCK_DATE EXPIRY_DATEEXPIRY_DATEPROFILEPROFILE
IOUG_PERSONIOUG_PERSON EXPIREDEXPIRED 00-DECEMBER-00 00-DECEMBER-00NORMAL_USERSNORMAL_USERS
Data Dictionary Views Used for Data Dictionary Views Used for Password ManagementPassword Management
There are a few data dictionary views that can be There are a few data dictionary views that can be queried to determine the status of password queried to determine the status of password management in your database:management in your database:
USER_PASSWORD_LIMITS,ALL_PASSWORD_LIMITS, USER_PASSWORD_LIMITS,ALL_PASSWORD_LIMITS, DBA_PASSWORD_LIMITSDBA_PASSWORD_LIMITS
USER_USERS, ALL_USERS, DBA_USERSUSER_USERS, ALL_USERS, DBA_USERS USER_PROFILES, ALL_PROFILES, DBA_PROFILESUSER_PROFILES, ALL_PROFILES, DBA_PROFILES
The Don’ts of Oracle PasswordsThe Don’ts of Oracle Passwords
Do not use Do not use SQLPLUS username/passwordSQLPLUS username/password to go into to go into SQL*Plus. For example, in UNIX, someone can type SQL*Plus. For example, in UNIX, someone can type ““ps -efps -ef” and see all passwords clearly!” and see all passwords clearly!
Do not use Do not use EXP80EXP80 or or IMP80IMP80 with the with the USERIDUSERID parameter parameter on the command line. Also, the “ps -ef” command on the command line. Also, the “ps -ef” command would see it! Instead, use a parameter file and would see it! Instead, use a parameter file and specify the specify the PARFILEPARFILE parameter. parameter.
Do not use Do not use SQLLDRSQLLDR with the with the USERIDUSERID parameter on the parameter on the command line for the same reasons.command line for the same reasons.