Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: password complexity -- implementing security changes

RE: password complexity -- implementing security changes

From: <oracle-l-bounce_at_freelists.org>
Date: Thu, 2 Mar 2006 15:57:26 -0700
Message-ID: <A49A36C009B8884C9246B36A0DA7923F013488A3@msha-lak-exmb01.msha.dir.labor.gov>


Yes - We have similar issues with password complexity. We also are required to limit missed passwords to 3 before locking and they expire every 90 days with basically no reuse allowed. Luckily, though we have a limited number of oracle accounts so I don't get called too often. The application manages it's own passwords internally.

What it all leads to is people using less then secure methods to remember all the complex passwords.

Steve

-----Original Message-----
From: oracle-l-bounce_at_freelists.org
[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Coleman, Kelley (HAC)
Sent: Thursday, March 02, 2006 3:45 PM
To: post.ethan_at_gmail.com; shrekdba_at_gmail.com Cc: cemail_219_at_hotmail.com; oracle-l_at_freelists.org Subject: RE: password complexity -- implementing security changes

I'm with you, Ethan. Unfortunately, TPTB have mandated we go to 3 attempts. The number password reset calls I take has gone up exponentially. And I'm really not being dramatic. I've gone from 3-5 per week to 7-8 per day. It's very frustrating. Most of my users are not super users. They have password requirements that are very complex. And like you, they have 10 different ones to remember and each system's requirements are slightly different so it's rare that they can use the same password on several systems.

-----Original Message-----
From: oracle-l-bounce_at_freelists.org
[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Ethan Post Sent: Thursday, March 02, 2006 3:37 PM
To: shrekdba_at_gmail.com
Cc: cemail_219_at_hotmail.com; oracle-l_at_freelists.org Subject: Re: password complexity -- implementing security changes

Here is a "why do we do this" question.

Most of the policies I see concerning failed login attempts lock a user our after a very limited number of attempts. It seems to me that this feature is best at preventing dictionary attacks but when the number of attempts is limited to say "3" it ends up simply locking out a legitimate user who is trying to remember 1 of 10 passwords they use. Would it be fair to say that this number should be much higher, say 50? This way the user is never inconvenienced and a dictionary attack will still likely blocked.

On 3/2/06, bill thater <shrekdba_at_gmail.com> wrote:
> On 3/2/06, J. Dex <cemail_219_at_hotmail.com> wrote:
>
> > I am still not even sure if the application is going to prompt them
after 90
> > days to change the password or they will just start getting locked
out.
>
> mypast experience tells me that unless the application looks for that
> notice explicitly, it won't and they'll just end up locked out.

--
http://www.freelists.org/webpage/oracle-l
--
http://www.freelists.org/webpage/oracle-l

--
http://www.freelists.org/webpage/oracle-l
Received on Thu Mar 02 2006 - 16:57:26 CST

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US