Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: Verifying passwords have been changed in oracle
in article s94hqa.s81.ln_at_spuddy.org, Stephen Harris at sweh_at_spuddy.mew.co.uk
wrote on 11/8/02 11:46 AM:
> Ed Stevens <spamdump_at_nospam.noway.nohow> wrote:
>> How often do you have to audit to insure the sys and system passwords have >> been >> changed from the default? I would think this is something you'd have to >> check >> exactly once. And even if there were some fear that it might get set back to
I'm confused - you want to check to see if a default password has been used, but identified that you couldn't use the default password to check because password verification routines are in place. Doesn't the latter preclude the former ? Check that the verification routines are in place during build, and then once in production, you won't have to check again (especially as your security team are auditing connections on sys/system anyhow).
Or is there more to this story I'm not getting ?
As an aside, we are presenting next week at OracleWorld on things users have done to fill supposed gaps in the database, when they could have used one of the database features - for instance, a copmany using MQSeries to send messages between only Oracle databases. One of the classic real world examples is a company that automated password checking scripts to ensure that users didn't use obvious passwords. This thing ran continuously on over 1000 instances a day - driving systems/networks into the ground, and generating massive amounts of audit trail. A quick deployment of password verification routines solved their self imposed problems. Received on Sun Nov 10 2002 - 10:48:44 CST