Re: same dba password for all instances : is it secure ?

marcel.fleury_at_bluewin.ch (Fleury Marcel) wrote in message news:<f18358b2.0210302341.2bfb1e0d_at_posting.google.com>...
> Hello,
> We administrate about 60 Oracle Instances.
>
> SYS have his password for exemple syspwd, and SYSTEM also his password
> for exemple systempwd.
> But we use the same on all Oracle Instances.
>
> So if an someone knows a password, he can use it for all Instances.
>
> But it is difficult to ask the DBA to use a distinct password for each
> Instance.
>
> Suggestions to perform this security are welcome.
> Or advices to remember each password
>
> Thank you
>
> Marcel

Well, I've seen a lot of variations on this, mostly horrific to security types. I've seen some places make it so hard that the admins just blow it all away and do something easy, and no one ever knows. Remember, if someone can connect internal, then you are using OS security - and remote-os-auth with windows boxes is notoriously easy to bluff. Once you can select the password, you can change it, then change it back, even if you don't know it.

So some places find a happy medium by a combination of the instance or hostname and an algorithm that only face-to-face contact can know, preferable something humorous to make it easy to remember. For example, last three letters of instance_name plus rude name for boss plus the date of the first monday after your favorite holiday.

Then there's opening holes in firewalls...

jg

--
@home is bogus.
"It ain't security unless it hurts."  An old cow-orker.