Link to home
Create AccountLog in
Avatar of Pau Lo
Pau Lo

asked on

password management in 11g

Where can I see what password management policies (i.e. length, expiry, account lockout for failed logins etc) are in place for 11g database accounts?

Also - can you set one policy for one set of accounts, and another for another set of accounts. if so how can you see which accounts are subject to which policy?
ASKER CERTIFIED SOLUTION
Avatar of kkretser
kkretser
Flag of Russian Federation image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
SOLUTION
Avatar of slightwv (䄆 Netminder)
slightwv (䄆 Netminder)

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of Pau Lo
Pau Lo

ASKER

Also, if say I have 40 database accounts, how can I see which dba_profile is assigned to each account?
I beleive this is still the case even in 11g.  Length and complexity are enforced with a function and set with PASSWORD_VERIFY_FUNCTION.

>>how can I see which dba_profile is assigned to each account?

select username,profile from dba_users;
Avatar of Pau Lo

ASKER

here is an extract:

FAILED_LOGIN_ATTEMPTS      PASSWORD      UNLIMITED
PASSWORD_LIFE_TIME      PASSWORD      UNLIMITED
PASSWORD_REUSE_TIME      PASSWORD      UNLIMITED
PASSWORD_REUSE_MAX      PASSWORD      UNLIMITED
PASSWORD_VERIFY_FUNCTION      PASSWORD      NULL
PASSWORD_LOCK_TIME      PASSWORD      1
PASSWORD_GRACE_TIME      PASSWORD      7

So does password_verify_function = null, mean there isnt a password complexity policy in our database?
>>mean there isnt a password complexity policy in our database?

I'll defer to the docs:
http://docs.oracle.com/cd/E11882_01/server.112/e26088/statements_6010.htm#SQLRF01310

PASSWORD_VERIFY_FUNCTION  The PASSWORD_VERIFY_FUNCTION clause lets a PL/SQL password complexity verification script be passed as an argument to the CREATE PROFILE statement. Oracle Database provides a default script, but you can create your own routine or use third-party software instead.
•For function, specify the name of the password complexity verification routine.
 
•Specify NULL to indicate that no password verification is performed.
Avatar of Pau Lo

ASKER

Ouch!

Is there any common reason why DBA's dont want policies like password expiration on all database accounts? It doesnt seem all that common as it does domain accounts. I just wondered why that could be, and whether it can affect things by enforcing such a policy?
Expiring passwords can affect applications.

Typically accounts are split between service level accounts and user level accounts.  You can also have different levels of service accounts.

Some shops allow for service level accounts to not have the same restrictions as user level accounts.

Some applications you cannot change the password at the database level, they need to be changed through the app itself.  These accounts should not have automatic experiation.  It should be controled through the app itself.

As for why DBAs don't want/like password restrictions:  Do you like new rules in general?  They are seen as an intrusion.
Avatar of Pau Lo

ASKER

>Typically accounts are split between service level accounts and user level accounts

Can I ask for a laymans break down of which fall into which, i.e. can you define a service level account, and can you define a user level account?
A service level account is typically an account used by applications to connect to the database.

User-level accounts are specific users that connect directly to the database for whatever purpose.

Admin accounts can be sort of a hybrid.  It is up to you to decide what policies to assign to them.  I would probably impose tighter restrictions on them than I do regular users.