Re: 11g password complexity

• From: Yong Huang <yong321@xxxxxxxxx>
• To: kathryn axelrod <kat.axe@xxxxxxxxx>
• Date: Wed, 28 Apr 2010 09:56:09 -0700 (PDT)

You're right, Kathryn. I was wrong. verify_function_11G removed the punctuation 
mark check.

It's interesting to note that 11gR1 Security Guide still recommends "include at 
least 1 punctuation mark"
http://www.comp.dit.ie/btierney/Oracle11gDoc/network.111/b28531/authentication.htm#CHDFDHAJ

In 11gR2, it changes to "can include multibyte characters", "can include the 
underscore (_), dollar ($), and number sign (#) characters"
http://download.oracle.com/docs/cd/E11882_01/network.112/e10574/guidelines.htm#CHDEGEIF

I think one reason the punctuation mark check is removed is that adding mixed 
case letters causes brute force password cracking much harder than including 
punctuation marks, 26 more possibilities versus less than 20 or so (in fact, 
much lower considering people's habit of only using a few familiar punctuation 
marks). And the inconvenience of enclosing the password with punctuation marks 
in double quotes is not worth it.

Yong Huang

--- On Wed, 4/28/10, kathryn axelrod <kat.axe@xxxxxxxxx> wrote:

From: kathryn axelrod <kat.axe@xxxxxxxxx>
Subject: Re: 11g password complexity
To: "Yong Huang" <yong321@xxxxxxxxx>
Cc: oracle-l@xxxxxxxxxxxxx
Date: Wednesday, April 28, 2010, 10:56 AM

Hi Yong,
 
Are you looking at the updated version (verify_function_11g) or the original 
version (verify_function)? The utlpwdmg.sql (in 11.1.0.7 at least) contains 
both. And as part of the script it sets the default profile to use the 11g 
version.


 
 
Thanks,
-kathryn

 
On Wed, Apr 28, 2010 at 7:21 AM, Yong Huang <yong321@xxxxxxxxx> wrote:


> The basic utlpwdmg.sql script was modified for 11g and as one would expect,
...

> In prior versions, it required "at least one digit, one character and one
> punctuation". The 11g version requires "at least one digit, one character".

> Does anyone know why they removed the 'punctuation' requirement?



Kathryn,

I checked utlpwdmg.sql in both 11.1 and 11.2.0.1. They both still have the
same requirement, "at least one digit, one character and one punctuation".

Yong Huang










      

• References:
  • Re: 11g password complexity
    • From: kathryn axelrod

Other related posts:

• » 11g password complexity- kathryn axelrod
• » Re: 11g password complexity- lyallbarbour
• » Re: 11g password complexity- kathryn axelrod
• » Re: 11g password complexity- Jared Still
• » Re: 11g password complexity- kathryn axelrod
• » Re: 11g password complexity- Yong Huang
• » Re: 11g password complexity- kathryn axelrod
• » Re: 11g password complexity - Yong Huang

1. Home
2. oracle-l
3. Archive
4. 04-2010

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---