RE: Automatic Password Reset

From: Sheehan, Jeremy <JEREMY.SHEEHAN_at_nexteraenergy.com>
Date: Wed, 16 Sep 2015 15:25:17 +0000
Message-ID: <939730CDCC52DA43AB03D00E4C678B9C2EDB8899_at_goxsa3144.fplu.fpl.com>

I created a procedure a while back that did this, but we granted access to a few support users. They were more familiar with the user base and spoke their language (the dba’s just got frustrated). There were 1500+ users in the database and resetting passwords was almost a full time job. I used invoker rights in the procedure and granted the privs necessary to the 2-3 support users that were able to execute the procedure. That restricted use to the couple of users and the DBA’s.

Thanks,

Jeremy

From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Ethan Post Sent: Wednesday, September 16, 2015 10:26 AM To: oracle-l
Subject: Automatic Password Reset

This is an EXTERNAL email. Exercise caution. DO NOT open attachments or click links from unknown senders or unexpected email.

Anyone out there have an automatic way for users to have their account unlocked and passwords reset? My thoughts are to use a generic account, something like "PWD_RESET" which can call a procedure which will do something like the following

# Assume there is already a table with user/email reference...
# User logs into pwd_reset account.
# User runs exec password_reset('MYUSER_NAME');
# Email with "pin" is sent to email on file.
# User runs exec password_pin(PIN); , this returns the temporary pwd.
# User logs in with temporary pass

Of course the account reset, emails and stuff all happen in background. Whole thing will be disabled if pin is wrong more than N times in a row in case of some sort of guess attack. Will watch for any type of SQL injection possibilities. Everything is logged and admins are emailed about the reset. PWD_RESET account will only have access to the stated procedures.

Anyone doing anything like this? Anyone see any obvious security holes in this approach? I have the API's in place to make this pretty easy to implement from a coding standpoint. Thanks,
Ethan Post

--
http://www.freelists.org/webpage/oracle-l

Received on Wed Sep 16 2015 - 17:25:17 CEST

This message: [ Message body ]
Next message: Ram Raman: "Re: Manual execution vs v$session discrepancy"
Previous message: Vishal Gupta: "Re: AWR"
In reply to: Ethan Post: "Automatic Password Reset"
Next in thread: Ethan Post: "Re: Automatic Password Reset"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message