Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> Re: password complexity -- implementing security changes

Re: password complexity -- implementing security changes

Date: Thu, 02 Mar 2006 15:58:16 -0700
Message-id: <>

This subject can be a little dicey at the best of times...

One of my favorite techniques for assigning initial passwords is to generate them randomly. (It's not hard, if you need to, to generate "random" passwords that meet quality criteria.)

I find that the advantage to this is that most randomly generated passwords are so *hopelessly* non-memorable that most users require little urging to go out and find the password change utility. ;-) (I automatically deliver instructions along with the randomly generated passwords, just to be sure...)

I found a *dramatic* decrease in the number of users who *never* change their passwords (don't ask!) after I implemented this policy...

Password expiry can be a tricky matter, especially if your users are using any other than oracle-supplied applications to login to the database. To my knowledge, few applications (other than SQL*Plus) can manage to connect to a database to change an expired password...

(Perhaps I'm wrong, in which case, I'd love to hear about it.)

My experiece with password quality rules (thus far) has been that they're relatively easy to manage. If your appliction provides the "widget" that allows users to change passwords, you may have trouble, especially if it doesn't pass-through error messages. If it does pass error messages through, then a clear error from your validation function like "ORA-20012: Passwords must contain at least..." should allow all but the densest end users to successfuly change a password.

Anyway, I *do* have experience with this, but it *is* limited. I will definitely defer to the sage advice of others on this subject...

> I am wondering how other shops handle security changes relating to
> password
> complexity.
> We just implemented a lot of security features into our database
> including
> password complexity. The users login through an application.
> Adding
> password complexity did not appear to lock out their accounts.
> When they
> try and login, though, with multiple attempts it finally does lock
> it. Do
> most of you just give them a password initially that fits
> complexity and
> tell them they have to change it?
> I am still not even sure if the application is going to prompt them
> after 90
> days to change the password or they will just start getting locked
> out.
> _________________________________________________________________
> Don’t just search. Find. Check out the new MSN Search!
> --

Received on Thu Mar 02 2006 - 16:58:16 CST

Original text of this message