Re: SQL audit

From: Jared Still <>
Date: Tue, 22 Dec 2009 07:01:38 -0800
Message-ID: <>

On Mon, Dec 21, 2009 at 6:02 PM, Kellyn Pedersen <>wrote:

> - that Oracle application users passwords were set to the same complexity
> requirements as network logins.

Unless all databases are 11g+, or the network password requirements are very simple, my not be enforceable,
as passwords for any version of Oracle less than 11g are case insensitive.

Many password policies require a combination of upper and lower case. A password policy that requires any 2 of these 3 is more friendly to Oracle:

* upper and lower case
* special characters (punctuation)
* one or more digits

A minimum length limit. I think 8 is fairly common.

With Oracle I find it better to use long passwords (15 characters or more) and skip the punctuation characters. Many utilities (adpatch,, ...)
do not work properly with some special characters.

How did you deal the Oracle Password limitations?

> - And scripted out the ability to reset all Oracle/App system passwords
> every 90 days.

Interesting requirement. Did the auditors also require that all windows service account passwords
and unix software owner accounts be reset every 90 days?

If not, there's not a lot of point in changing the oracle/app passwords.

If so, that must really be interesting, particularly in the case of the service accounts.

Jared Still
Certifiable Oracle DBA and Part Time Perl Evangelist Oracle Blog: Home Page:


Received on Tue Dec 22 2009 - 09:01:38 CST

Original text of this message