RE: password complexity -- implementing security changes
- To: <oracle-l@xxxxxxxxxxxxx>
- Date: Thu, 2 Mar 2006 15:57:26 -0700
Yes - We have similar issues with password complexity. We also are
required to limit missed passwords to 3 before locking and they expire
every 90 days with basically no reuse allowed. Luckily, though we have
a limited number of oracle accounts so I don't get called too often.
The application manages it's own passwords internally.
What it all leads to is people using less then secure methods to
remember all the complex passwords.
Steve
-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Coleman, Kelley
(HAC)
Sent: Thursday, March 02, 2006 3:45 PM
To: post.ethan@xxxxxxxxx; shrekdba@xxxxxxxxx
Cc: cemail_219@xxxxxxxxxxx; oracle-l@xxxxxxxxxxxxx
Subject: RE: password complexity -- implementing security changes
I'm with you, Ethan. Unfortunately, TPTB have mandated we go to 3
attempts. The number password reset calls I take has gone up
exponentially. And I'm really not being dramatic. I've gone from 3-5
per week to 7-8 per day. It's very frustrating. Most of my users are
not super users. They have password requirements that are very complex.
And like you, they have 10 different ones to remember and each system's
requirements are slightly different so it's rare that they can use the
same password on several systems.
-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Ethan Post
Sent: Thursday, March 02, 2006 3:37 PM
To: shrekdba@xxxxxxxxx
Cc: cemail_219@xxxxxxxxxxx; oracle-l@xxxxxxxxxxxxx
Subject: Re: password complexity -- implementing security changes
Here is a "why do we do this" question.
Most of the policies I see concerning failed login attempts lock a user
our after a very limited number of attempts. It seems to me that this
feature is best at preventing dictionary attacks but when the number of
attempts is limited to say "3" it ends up simply locking out a
legitimate user who is trying to remember 1 of 10 passwords they use.
Would it be fair to say that this number should be much higher, say 50?
This way the user is never inconvenienced and a dictionary attack will
still likely blocked.
On 3/2/06, bill thater <shrekdba@xxxxxxxxx> wrote:
> On 3/2/06, J. Dex <cemail_219@xxxxxxxxxxx> wrote:
>
> > I am still not even sure if the application is going to prompt them
after 90
> > days to change the password or they will just start getting locked
out.
>
> mypast experience tells me that unless the application looks for that
> notice explicitly, it won't and they'll just end up locked out.
--
//www.freelists.org/webpage/oracle-l
--
//www.freelists.org/webpage/oracle-l
--
//www.freelists.org/webpage/oracle-l
Other related posts:
