Re: RE: password complexity -- implementing security changes

From: MARK BRINSMEAD <mark.brinsmead@xxxxxxx>
To: paul.baumgartel@xxxxxxxxxxxxxxxxx
Date: Fri, 03 Mar 2006 16:31:21 -0700

Agreed.

Of course, SOME of these rules can be circumvented
with appropriate use of quotes.  Or perhaps more
accurately, probably all of these rules can be 
circumvented at least some of the time.

Sadly, when it comes time to actually *use* the
passwords, some contexts (e.g., Pro*C) don't permit
you to use quotes...

The one that particularly caused me trouble with 
Pro*C, if I recall (it was 3 years ago) had 
something like 3 consecutive '/' characters.  As
I recall, one or two would actually have been okay.

I can definitely see "@" causing trouble, too.


----- Original Message -----
From: "Baumgartel, Paul" <paul.baumgartel@xxxxxxxxxxxxxxxxx>
Date: Friday, March 3, 2006 1:38 pm
Subject: RE: password complexity -- implementing security changes

> An Oracle password has the following rules: 
> A password must begin with an alphabetic character. 
> Passwords can contain only alphanumeric characters and the 
> underscore (_), dollar sign ($), and pound sign (#). 
> 
> So your @s, your /s, and your ^s are problematic from the get-go.
> 
> Paul Baumgartel
> paul.baumgartel@xxxxxxxxxxxxxxxxx
> 212.538.1143
> 
> 
> -----Original Message-----
> From: oracle-l-bounce@xxxxxxxxxxxxx
> [oracle-l-bounce@xxxxxxxxxxxxx]On Behalf Of MARK BRINSMEAD
> Sent: Friday, March 03, 2006 3:22 PM
> To: jkstill@xxxxxxxxx
> Cc: venu_potluri@xxxxxx; rjamya@xxxxxxxxx; wbfergus@xxxxxxxx;
> oracle-l@xxxxxxxxxxxxx
> Subject: Re: password complexity -- implementing security changes
> 
> 
> Okay, so why is *that* a problem?  After all,
> last time I checked, Oracle database passwords
> were case-insensitive anyway...
> 
> Special characters, on the other hand, *can* be a 
> problem.  I seem to recall even SQL*Plus giving 
> me considerable grief with a password that 
> contained "/" characters...  No wait; it was a 
> Pro*C application.
> 
> 
> 
> ----- Original Message -----
> From: Jared Still <jkstill@xxxxxxxxx>
> Date: Friday, March 3, 2006 12:30 pm
> Subject: Re: password complexity -- implementing security changes
> 
> > 
> > 
> > One thing the verify_function cannot do is enforce  upper or 
> lower 
> > case.Try it, case doesn't matter.
> > 
> > While on the subject, be careful with those special characters.
> > 
> > Some applications  do not like them.
> > 
> > Net Backup for instance will not work if there is a @ or ^ in the 
> > passwordfor the account used to do backups.
> > 
> > 
> > 
> > Jared Still
> > Certifiable Oracle DBA and Part Time Perl Evangelist
> > 
> 
> --
> //www.freelists.org/webpage/oracle-l
> 
> 
> 
> ==============================================================================
> Please access the attached hyperlink for an important electronic 
> communications disclaimer: 
> 
> http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html
> ==============================================================================
> 
> --
> //www.freelists.org/webpage/oracle-l
> 
> 
> 

--
//www.freelists.org/webpage/oracle-l

Re: RE: password complexity -- implementing security changes

Other related posts: