Password Management for Oracle8 Ari Kaplan Independent Consultant.

Slides:



Advertisements
Similar presentations
Copyright © 2003 Pearson Education, Inc. Slide 8-1 The Web Wizards Guide to PHP by David Lash.
Advertisements

Auditing Oracle Lisa Outlaw CISA, CISSP, ITIL Foundation
A Guide to Oracle9i1 Creating and Modifying Database Tables Chapter 2.
Session 2Introduction to Database Technology Data Types and Table Creation.
MySQL Access Privilege System
Data Definition Language (DDL)
Creating Tables. 2 home back first prev next last What Will I Learn? List and provide an example of each of the number, character, and date data types.
13 Copyright © Oracle Corporation, All rights reserved. Controlling User Access.
Oracle 10g Database Administrator: Implementation and Administration
Oracle9i Database Administrator: Implementation and Administration 1 Chapter 12 System and Object Privileges.
Securing Oracle Databases CSS-DSG JTrumbo. Audit Recommendations -Make sure databases are current with patches. -Ensure all current default accounts &
Let’s try Oracle. Accessing Oracle The Oracle system, like the SQL Server system, is client / server. For SQL Server, –the client is the Query Analyser.
System Administration Accounts privileges, users and roles
Oracle8 - The Complete Reference. Koch a& Loney1 By What Authority? Presented by Victor Matos.
About physical design After you have provided your scripts Understand the problems Present a template that can be used to report on the physical design.
Administering User Security
Database Security Managing Users and Security Models.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Getting Started with Oracle11g Abeer bin humaid. Create database user You should create at least one database user that you will use to create database.
Session 5: Working with MySQL iNET Academy Open Source Web Development.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
14 Copyright © Oracle Corporation, All rights reserved. Managing Password Security and Resources.
CHAPTER 6 Users and Basic Security. Progression of Steps for Creating a Database Environment 1. Install Oracle database binaries (Chapter 1) 2. Create.
9 Copyright © 2005, Oracle. All rights reserved. Administering User Security.
Database Programming Sections 13–Creating, revoking objects privileges.
Week 6 Lecture 2 System and Object Privileges. Learning Objectives  Identify and manage system and object privileges  Grant and revoke privileges to.
Profiles, Password Policies, Privileges, and Roles
IS 221: DATABASE ADMINISTRATION Lecture 6:Create Users & Manage Users. Information Systems Department 1.
16 Copyright © Oracle Corporation, All rights reserved. Managing Privileges.
Controlling User Access. Objectives After completing this lesson, you should be able to do the following: Create users Create roles to ease setup and.
Copyright © 2013 Curt Hill Database Security An Overview with some SQL.
CS 3630 Database Design and Implementation. Assignment 3 Style! Agreement between database designer and the client. UserName1_EasyDrive UserName2_EasyDrive.
Oracle 11g DATABASE DEVELOPMENT LAB1. Introduction  Oracle 11g Database:-  Oracle 11g database is designed for some features, which helps to the organizations.
Managing users and security Akhtar Ali. Aims Understand and manage profiles Understand and manage users Understand and manage privileges Understand and.
Roles & privileges privilege A user privilege is a right to execute a particular type of SQL statement, or a right to access another user's object. The.
Dale Roberts 1 Department of Computer and Information Science, School of Science, IUPUI Dale Roberts, Lecturer Computer Science, IUPUI
SQL Fundamentals  SQL: Structured Query Language is a simple and powerful language used to create, access, and manipulate data and structure in the database.
Controlling User Access Fresher Learning Program January, 2012.
Controlling User Access. 2 home back first prev next last What Will I Learn? Compare the difference between object privileges and system privileges Construct.
Database Security. Multi-user database systems like Oracle include security to control how the database is accessed and used for example security Mechanisms:
IT Database Administration Section 06. Managing Users and Their Roles Database Security  Oracle’s database security provides the ability to  Prevent.
A Guide to SQL, Eighth Edition Chapter Six Updating Data.
Oracle 11g: SQL Chapter 7 User Creation and Management.
Database Security. Multi-user database systems like Oracle include security to control how the database is accessed and used for example security Mechanisms:
18 Managing Profiles Objectives Creating and assigning profiles to users Controlling use of resources with profiles Altering and dropping profiles.
7 Copyright © 2007, Oracle. All rights reserved. Administering User Security.
Starting with Oracle SQL Plus. Today in the lab… Connect to SQL Plus – your schema. Set up two tables. Find the tables in the catalog. Insert four rows.
Intro To Oracle :part 1 1.Save your Memory Usage & Performance. 2.Oracle Login ways. 3.Adding Database to DB Trees. 4.How to Create your own user(schema).
1 Copyright © 2009, Oracle. All rights reserved. Controlling User Access.
19 Managing Privileges Objectives Identifying system and object privileges Granting and revoking privileges Controlling operating system or password.
Dr. Chen, Oracle Database System (Oracle) 1 Chapter 7 User Creation and Management Jason C. H. Chen, Ph.D. Professor of MIS School of Business Gonzaga.
C Copyright © 2007, Oracle. All rights reserved. Security New Features.
8 Copyright © 2005, Oracle. All rights reserved. Managing Schema Objects.
Database Systems Slide 1 Database Systems Lecture 4 Database Security - Concept Manual : Chapter 20 - Database Security Manual : Chapters 5,10 - SQL Reference.
SQL Tutorial CPSC 608 Database System. Connecting to Oracle Your username is identical to your UNIX account To access your Oracle account, you need to.
6 Copyright © 2005, Oracle. All rights reserved. Administering User Security.
Controlling User Access
Controlling User Access
CS 3630 Database Design and Implementation
Oracle structures on database applications development
Managing Privileges.
TABLES AND INDEXES Ashima Wadhwa.
SQL and SQL*Plus Interaction
Open Source Server Side Scripting Permissions & Users
Database Security.
Database Security.
OER- UNIT 3 Authorization
Database Security OER- Unit 1-Authentication
Managing Privileges.
IST 318 Database Administration
Presentation transcript:

Password Management for Oracle8 Ari Kaplan Independent Consultant

Oracle8, Oracle7, and UNIX Password Capabilities

Password Functionality n Account Locking n Password Complexity Verifications n Password History n Password Lifetime and Expiration

Creating Users The CREATE USER command sets the initial password for a user account: CREATE USER IOUG_PERSON IDENTIFIED BY applaud_now;

Describing User Attributes SELECT * FROM ALL_USERS; For existing accounts, you can view some attributes of that user, by entering: The SQL shows: Username User_ID Password Default Tablespace Date/Time that the user was created Default Profile

Table and System Privileges n n The GRANT command gives privileges directly to user accounts and indirectly via roles n n The REVOKE command removes privileges from user accounts or roles n n Table Privileges: SELECT/INSERT/UPDATE/DELETE/ALTER n n System Privileges: CREATE PUBLIC SYNONYM, UNLIMITED TABLESPACE, DROP ANY TABLE, etc.

Maintaining Restrictions via Profiles n n Restrictions on system and object resources are maintained via profiles n n Some of them include: SESSION_PER_USER, CPU_PER_SESSION, CPU_PER_CALL, CONNECT_TIME, IDLE_TIME, LOGICAL_READS_PER_SESSION, LOGICAL_READS_PER_CALL, COMPOSITE_LIMIT, IDLE_TIME, and PRIVATE_SGA. n n To restrict user accounts to 15 minutes per connection, you would create a profile with the CONNECT_TIME set, then assign the user to the new profile.

Creating Profiles When a user account is created, they are assigned to the DEFAULT profile (unless otherwise specified). To create a new profile, use the CREATE PROFILE command and list all restrictions along with their values. CREATE PROFILE profile_name LIMIT SESSIONS_PER_USER 4;

Assign a Profile to a User n Once a profile has been created, you can associate users to the profile n It is through this method that different password options can be set for user accounts. ALTER USER username PROFILE profile_name;

Password-Related Options that can be Defined for Profiles n FAILED_LOGIN_ATTEMPTS n PASSWORD_GRACE_TIME n PASSWORD_LIFE_TIME n PASSWORD_LOCK_TIME n PASSWORD_REUSE_MAX n PASSWORD_REUSE_TIME n PASSWORD_VERIFY_FUNCTION

Default Profile Password Parameter Values

Creating a Sample Password- Related Profile If you want to assign non-default password management options to user accounts, you can create a new profile. The following SQL statement below will lock a user account out of the database for one hour after failing to successfully login three times. Also, the password will automatically expire every thirty days. CREATE PROFILE NORMAL_USERS LIMIT PASSWORD_LIFE_TIME 30 FAILED_LOGIN_ATTEMPTS 3 CREATE PROFILE NORMAL_USERS LIMIT PASSWORD_LIFE_TIME 30 FAILED_LOGIN_ATTEMPTS 3 PASSWORD_LOCK_TIME 1/24;

Password Management Options for a Profile The following SQL statement will prompt you for a profile. The result will be a listing of all defined password management options, along with their values. COLUMN PROFILE FORMAT A15 COLUMN RESOURCE_NAME FORMAT A25 COLUMN RESOURCE_TYPE FORMAT A15 COLUMN LIMIT FORMAT A15 SELECT PROFILE, RESOURCE_NAME, RESOURCE_TYPE, LIMIT FROM DBA_PROFILES WHERE PROFILE= ‘&profile_name’ AND RESOURCE_TYPE LIKE ‘%PASSWORD%’;

Password Management Options for a Profile Here is a sample output from the previous SQL: Enter value for profile_name: NORMAL_USERS old 4: WHERE PROFILE = ‘&profile_name’ AND new 4: WHERE PROFILE = ‘NORMAL_USERS’ AND PROFILERESOURCE_NAME RESOURCE_TYPE LIMIT NORMAL_USERSFAILED_LOGIN_ATTEMPTSPASSWORD 3 NORMAL_USERSPASSWORD_LIFE_TIMEPASSWORD 30 NORMAL_USERSPASSWORD_REUSE_TIMEPASSWORD DEFAULT NORMAL_USERSPASSWORD_VERIFY_FUNCTIONPASSWORD DEFAULT NORMAL_USERSPASSWORD_LOCK_TIMEPASSWORD.0416 NORMAL_USERSPASSWORD_GRACE_TIMEPASSWORD DEFAULT

The Default verify_function Provided by Oracle This function must be created in SYS schema, and you must connect sys/ as sysdba before running the script. This snippet contains the start of the function and checks if the password is the same as the username. The verify_function is shown in five parts: 1. The beginning of the verify_function, check if the password is the same as the username 2. Check to make sure that the password has at least 4 characters 3. Check to make sure that the password is not “too simple” by comparing against 8 simple words 4. Check to make sure that the password contains at least one letter, one digit, and one punctuation mark 5. Check if the password differs from the previous password by at least 3 letters

The Default verify_function Provided by Oracle -Part 1 CREATE OR REPLACE FUNCTION verify_function (username varchar2, password varchar2, old_password varchar2) RETURN boolean IS RETURN boolean IS n boolean; m integer; differ integer; isdigit boolean; ischar boolean; ispunct boolean; n boolean; m integer; differ integer; isdigit boolean; ischar boolean; ispunct boolean; digitarray varchar2(20); punctarray varchar2(25); chararray varchar2(52); digitarray varchar2(20); punctarray varchar2(25); chararray varchar2(52); BEGIN BEGIN digitarray:= ' '; digitarray:= ' '; chararray:= 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'; chararray:= 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'; punctarray:='!"#$%&()``*+,-/:; ?_'; punctarray:='!"#$%&()``*+,-/:; ?_'; --Check if the password is same as the username --Check if the password is same as the username IF password = username THEN raise_application_error(-20001, 'Password same as user'); raise_application_error(-20001, 'Password same as user'); END IF;

The Default verify_function Provided by Oracle -Part 2 This snippet checks to make sure that the password has at least 4 characters: --Check for the minimum length of the password --Check for the minimum length of the password IF length(password) < 4 THEN raise_application_error(-20002, 'Password length less than 4'); raise_application_error(-20002, 'Password length less than 4'); END IF;

The Default verify_function Provided by Oracle -Part 3 --Check if the password is too simple. A dictionary of words may be --maintained and a check may be made so as not to allow the words --that are too simple for the password. IF NLS_LOWER(password) IN ('welcome', 'database', 'account', 'user', 'password', 'oracle', 'computer', 'abcd') THEN raise_application_error(-20002, 'Password too simple'); END IF;

The Default verify_function Provided by Oracle -Part 4 --Check if the password contains at least one letter, one digit and one punctuation mark. --Check if the password contains at least one letter, one digit and one punctuation mark Check for the digit. You may delete 1. and replace with 2. or Check for the digit. You may delete 1. and replace with 2. or 3. isdigit:=FALSE; m := length(password); FOR i IN LOOP FOR j IN 1..m LOOP FOR j IN 1..m LOOP IF substr(password,j,1) = substr(digitarray,i,1) THEN IF substr(password,j,1) = substr(digitarray,i,1) THEN isdigit:=TRUE; isdigit:=TRUE; GOTO findchar; GOTO findchar; END IF; END IF; END LOOP; END LOOP; END LOOP; IF isdigit = FALSE THEN raise_application_error(-20003, 'Password should contain at least one raise_application_error(-20003, 'Password should contain at least one digit, one character and one punctuation'); END IF; --2. Check for the character --2. Check for the character<<findchar>>ischar:=FALSE; FOR i IN 1..length(chararray) LOOP FOR j IN 1..m LOOP IF substr(password,j,1) = substr(chararray,i,1) THEN ischar:=TRUE; GOTO findpunct; END IF; END LOOP; IF ischar = FALSE THEN raise_application_error(-20003, 'Password should contain at least one digit, one character and one punctuation'); END IF; --3. Check for the punctuation > ispunct:=FALSE; FOR i IN 1..length(punctarray) LOOP FOR j IN 1..m LOOP IF substr(password,j,1) = substr(punctarray,i,1) THEN ispunct:=TRUE; GOTO endsearch; END IF; END LOOP; IF ispunct = FALSE THEN raise_application_error(-20003, 'Password should contain at least one \ digit, one character and one punctuation'); END IF; >

The Default verify_function Provided by Oracle -Part 5 --Check if the password differs from the previous password by at least --3 letters IF old_password = '' THEN raise_application_error(-20004, 'Old password is null'); END IF; --Everything is fine; return TRUE ; differ := length(old_password) - length(password); IF abs(differ) < 3 THEN IF length(password) < length(old_password) THEN m := length(password); ELSE m:= length(old_password); END IF; differ := abs(differ); FOR i IN 1..m LOOP IF substr(password,i,1) != substr(old_password,i,1) THEN differ := differ + 1; END IF; END LOOP; IF differ < 3 THEN raise_application_error(-20004, 'Password should differ by at \ least 3 characters'); END IF; --Everything is fine; return TRUE ; RETURN(TRUE); END;

Creating your own verify_function n You can create your own verify function. It may be called anything you like (within reason – no reserved words, etc.). n The only requirements are that it be owned by the SYS user account, and that it sticks to the following format: function_name ( userid_parameter IN VARCHAR(30), password_parameter IN VARCHAR(30), old_password_parameter IN VARCHAR(30)) RETURN BOOLEAN

Assigning the verify_function to a Profile Once the function is defined, it must be assigned to one or more profiles in order to be used. ALTER PROFILE profile_name LIMIT PASSWORD_VERIFY_FUNCTION function_name;

Expiring/Unlocking Passwords Manually unlock a user : The account may be unlocked by only two methods: 1) The user waits for the specified PASSWORD_LOCK_TIME period. 2) The security administrator will have to manually unlock the account: ALTER USER username PASSWORD EXPIRE; Expiring: This SQL will force users to change their password the next time that they log in: ALTER USER username ACCOUNT UNLOCK;

Determining the Password Status of a Particular User Account COLUMN USERNAME FORMAT A14 COLUMN ACCOUNT_STATUS FORMAT A14 COLUMN LOCK_DATE FORMAT A14 COLUMN EXPIRY_DATE FORMAT A16 COLUMN PROFILE FORMAT A15 SELECT USERNAME, ACCOUNT_STATUS, TO_CHAR(LOCK_DATE,’DD-MON-YY’) LOCK_DATE, TO_CHAR(EXPIRY_DATE,’DD-MON-YY’) EXPIRY_DATE, PROFILE FROM DBA_USERS WHERE USERNAME = ‘&username’; The following SQL will prompt you for a user account name, and then show account status (if the account has expired), the date that the account was locked out of the database (if any), the date that the password will expire on (if any), and the profile that the user account has been assigned to.

Determining the Password Status of a Particular User Account A sample output from the above SQL follows: Enter value for username: IOUG_PERSON old 6: WHERE USERNAME = ‘&username’ new 6: WHERE USERNAME = ‘IOUG_PERSON’ USERNAMEACCOUNT_STATUS LOCK_DATE EXPIRY_DATEPROFILE IOUG_PERSONEXPIRED 00-DECEMBER-00NORMAL_USERS

Data Dictionary Views Used for Password Management There are a few data dictionary views that can be queried to determine the status of password management in your database: n USER_PASSWORD_LIMITS,ALL_PASSWORD_LIMITS, DBA_PASSWORD_LIMITS n USER_USERS, ALL_USERS, DBA_USERS n USER_PROFILES, ALL_PROFILES, DBA_PROFILES

The Don’ts of Oracle Passwords Do not use SQLPLUS username/password to go into SQL*Plus. For example, in UNIX, someone can type “ps -ef” and see all passwords clearly! Do not use EXP80 or IMP80 with the USERID parameter on the command line. Also, the “ps -ef” command would see it! Instead, use a parameter file and specify the PARFILE parameter. Do not use SQLLDR with the USERID parameter on the command line for the same reasons.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.