Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: Verifying passwords have been changed in oracle
Mark Townsend <markbtownsend_at_attbi.com> wrote:
> I'm confused - you want to check to see if a default password has been used,
> but identified that you couldn't use the default password to check because
> password verification routines are in place. Doesn't the latter preclude the
> former ? Check that the verification routines are in place during build, and
Modifying the default profile doesn't enforce password security on existing passwords.
create user fred identified by rubbish;
Now change the default profile so that strong passwords are enforced. The user 'fred' still has a poor password.
In my case, I'm looking at verifying things such as 'manager' is not valid for the 'system' account.
> then once in production, you won't have to check again (especially as your
> security team are auditing connections on sys/system anyhow).
>
> Or is there more to this story I'm not getting ?
Automation, the DBA changing default profiles, requirements from business risk managers. I have to implement what the business asks for, not what is necessarily sensible :-)
But mainly... the goal of this is to provide an automated method of determining whether a database installation meets business security baseline requirements. It doesn't matter if this tool is run straight after an instance is created or 3 months later, we need to check and verify the same thing.
> examples is a company that automated password checking scripts to ensure
> that users didn't use obvious passwords. This thing ran continuously on over
> 1000 instances a day - driving systems/networks into the ground, and
> generating massive amounts of audit trail. A quick deployment of password
Which is why I don't _want_ to attempt to connect as system/manager because of the audit logs this would generate.
> verification routines solved their self imposed problems.
See above.
-- Stephen Harris sweh_at_spuddy.mew.co.uk The truth is the truth, and opinion just opinion. But what is what? My employer pays to ignore my opinions; you get to do it for free.Received on Sun Nov 10 2002 - 11:09:29 CST