Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Verifying passwords have been changed in oracle

Re: Verifying passwords have been changed in oracle

From: Daniel Morgan <dmorgan_at_exesolutions.com>
Date: Mon, 11 Nov 2002 19:00:03 GMT
Message-ID: <3DCFFE33.FCF974C9@exesolutions.com> 





Stephen Harris wrote:



> Mark Townsend <markbtownsend_at_attbi.com> wrote:

> > I'm confused - you want to check to see if a default password has been used,

> > but identified that you couldn't use the default password to check because

> > password verification routines are in place. Doesn't the latter preclude the

> > former ? Check that the verification routines are in place during build, and

>

> Modifying the default profile doesn't enforce password security on existing

> passwords.

>

>   create user fred identified by rubbish;

>

> Now change the default profile so that strong passwords are enforced.  The

> user 'fred' still has a poor password.

>

> In my case, I'm looking at verifying things such as 'manager' is

> not valid for the 'system' account.

>

> > then once in production, you won't have to check again (especially as your

> > security team are auditing connections on sys/system anyhow).

> >

> > Or is there more to this story I'm not getting ?

>

> Automation, the DBA changing default profiles, requirements from business

> risk managers.  I have to implement what the business asks for, not what

> is necessarily sensible :-)

>

> But mainly... the goal of this is to provide an automated method of

> determining whether a database installation meets business security

> baseline requirements.  It doesn't matter if this tool is run straight

> after an instance is created or 3 months later, we need to check and

> verify the same thing.

>

> > examples is a company that automated password checking scripts to ensure

> > that users didn't use obvious passwords. This thing ran continuously on over

> > 1000 instances a day - driving systems/networks into the ground, and

> > generating massive amounts of audit trail. A quick deployment of password

>

> Which is why I don't _want_ to attempt to connect as system/manager because

> of the audit logs this would generate.

>

> > verification routines solved their self imposed problems.

>

> See above.

>

> --

>                                  Stephen Harris

>                               sweh_at_spuddy.mew.co.uk

>       The truth is the truth, and opinion just opinion.  But what is what?

>        My employer pays to ignore my opinions; you get to do it for free.




Security is best instituted before you start using a database, not after the fact.
But you can still accomplish the goal by expiring all passwords and forcing them
to be reset.



Daniel Morgan
Received on Mon Nov 11 2002 - 13:00:03 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US