Re: Oracle users and password changes

  • From: Mladen Gogala <mgogala@xxxxxxxxxxx>
  • To: DIANNA.GIBBS@xxxxxxxxxxxxx
  • Date: Wed, 04 Apr 2007 12:26:03 -0400

DIANNA GIBBS wrote:

We need to set up a process where Oracle
users (currently few and mostly ODBC using Access) are notified
and can change their password dynamically every 90 days.

We were wondering what other companies do and any
best practices?  Any thoughts or comments appreciated.

Thanks.
Dianna G.
Most of the other companies have DBA personnel capable of reading documentation. More specifically, I believe that there is a "CREATE PROFILE" statement described in the 
documentation and that the following options are supported:
FAILED_LOGIN_ATTEMPTS Specify the number of failed attempts to log in to the user account before the account is locked.
PASSWORD_LIFE_TIME Specify the number of days the same password can be used for authentication. If you also set a value for |PASSWORD_GRACE_TIME|, the password expires if it is not changed within the grace period, and further connections are rejected. If you do not set a value for |PASSWORD_GRACE_TIME|, its default of |UNLIMITED| will cause the database to issue a warning but let the user continue to connect indefinitely.
PASSWORD_REUSE_TIME and PASSWORD_REUSE_MAX These two parameters must be set in conjunction with each other. |PASSWORD_REUSE_TIME| specifies the number of days before which a password cannot be reused. |PASSWORD_REUSE_MAX| specifies the number of password changes required before the current password can be reused. For these parameter to have any effect, you must specify an integer for both of them. 

   *

     If you specify an integer for both of these parameters, then the
     user cannot reuse a password until the password has been changed
     the password the number of times specified for
     |PASSWORD_REUSE_MAX| during the number of days specified for
     |PASSWORD_REUSE_TIME|.

     For example, if you specify |PASSWORD_REUSE_TIME| to 30 and
     |PASSWORD_REUSE_MAX| to 10, then the user can reuse the password
     after 30 days if the password has already been changed 10 times.

   *

     If you specify an integer for either of these parameters and
     specify |UNLIMITED| for the other, then the user can never reuse a
     password.

   *

     If you specify |DEFAULT| for either parameter, then Oracle
     Database uses the value defined in the |DEFAULT| profile. By
     default, all parameters are set to |UNLIMITED| in the |DEFAULT|
     profile. If you have not changed the default setting of
     |UNLIMITED| in the |DEFAULT| profile, then the database treats the
     value for that parameter as |UNLIMITED|.

   *

     If you set both of these parameters to |UNLIMITED|, then the
     database ignores both of them.
PASSWORD_LOCK_TIME Specify the number of days an account will be locked after the specified number of consecutive failed login attempts.
PASSWORD_GRACE_TIME Specify the number of days after the grace period begins during which a warning is issued and login is allowed. If the password is not changed during the grace period, the password expires. 

There are some other options, too, but those are not for beginners.



--
//www.freelists.org/webpage/oracle-l

Other related posts:

  1. Home
  2. oracle-l
  3. Archive
  4. 04-2007