6-28. Oracle Password Verification Function: VERIFY_FUNCTION

The Oracle server provides a password complexity verification function named VERIFY_FUNCTION. This function is created with the /rdbms/admin/utlpwdmg.sql script. The password complexity verification function must be created in the SYS schema. It can be used as a template for you customized password verification.

The supplied password verification function enforces these password restrictions:

  • The minimum length is four characers.
  • The password cannot be the same as the username.
  • The password must have at least one alphabetic, one numeric, and one special character.
  • The password must differ from the prvious password by at least three letters.

In adittion to creating VERIFY_FUNCTION, the utlpwdmg script also changes the DEFAULT profile with the following ALTER PROFILE command:

ALTER PROFILE default LIMIT
PASSWORD_LIFE_TIME 60
PASSOWRD_GRACE_TIME 10
PASSWORD_REUSE_TIME 1800
PASSWORD_REUSE_MAX UNLIMITED
FAILED_LOGIN_ATTEMPTS 3
PASSWORD_LOCK_TIME 1/1440
PASSWORD_VERIFYH_FUNCTION verify_function;

March 28, 2008. profiles, security. Leave a comment.

6-23. Profiles and users

Users are assigned only one profile at any given time.

Profiles:

  • Control resource consumption
  • Manage account status and password expiration

Control resource consumption

Profiles enable the administrator to control the following system resources:

  • CPU: may be limited on a per-session or per-call basis (in hundredths of a second)
  • Network/Memory: each DB session consumes system memory resources and network resources (if the session is from a user who is not local to the server). You can supply: Connect time, idle time, concurrent sessions or Private SGA.
  • Disk I/O: This limits the amount of data a user can read either at the per-session or per-call level. Reads/Session and Reads/Call place a limitation on the total number of reads from both memory and the disk.

Profiles also allow a composite limit. Composite limits are based on a weighted combination of CPU/Session, Reads/Session, Connect Time, and Private SGA. Composite limits are discussed in more detail in the Oracle Database Security Guide.

Manage account status and password expiration

Oracle password management is implemented with user profiles. You should set it by clicking on the Password tab in the desired Profile from Enterprise Manager. Profiles can provide many standard security features including the following:

Account locking:

  • The FAILED_LOGIN_ATTEMPTS parameter specifies the number of failed login attempts before the lockout of the account.
  • The PASSWORD_LOCK_TIME parameter specifies the number of days for which the account is locked after the specified number of failed login attempts.

Password aging and expiration:

  • The PASSWORD_LIFE_TIME parameter determines the lifetime of the password in days, after which the password expires.
  • The PASSWORD_GRACE_TIME parameter specifies a grace period in days for changing the password after the first successful login after the password has expired.

Password history (mutually exclusive parameters):

  • PASSWORD_REUSE_TIME: specifies that a user cannot reuse a password for a given number of days
  • PASSWORD_REUSE_MAX: specifies the number of password changes that are required before the current password can be reused.

Password complexity verification:

  • The PASSWORD_VERIFY_FUNCTION parameter names a PL/SQL function that performs a password complexity check before a password is assigned. Passowrd verification functions must be owned by SYS user and must return a Boolean value.

March 28, 2008. profiles. Leave a comment.