Hello!

Are there any restrictions on user passwords in Oracle Database? On the Internet, I casually met statements that the password must not necessarily begin with a digit. There is no opportunity to check directly on the base now. Ideally, an extract from any source with parameters or a refutation is necessary.

Thank you in advance!

    2 answers 2

    Password rules:

    A single set of password rules applies to all companies and users. Password rules are set in accordance with the Oracle Security Standards for Internet Applications. General Rules Password The following are general rules for passwords: The password must be at least eight characters. The password must contain at least one lower case character. Password must contain at least one uppercase character. Password must have at least one numeric character. The password may contain one or more special characters.

    The only special characters that are accepted are :

    • Minus sign (-)
    • Underscore (_)
    • Colon (:)

    • Single quotes ( ')

    • Asterisk (*)

    • Exclamation mark (!)

    • pound symbol (£)

    • Dollar sign ($)

    • In token of (@)
    • Period (.)
    • Comma (,)

    • Slash (/)

    • Slash ()

    The password should not contain the word in the standard dictionary. Password expiration Rules When a user password expires, a user cannot access Oracle Social CRM applications.

    The following are rules for password expiration:

    The user must change the password at least once every 60 days. If the user does not change the password before the time expires, the password will expire and the user must change the password the next time they log on to the Oracle Social CRM applications.

    Password uniqueness

    When the user changes the password, the new password must be different from the old password. If a user enters a new password, which is the same as the old password, the user cannot change the password, and receives an error message indicating that the new password should be different from the old password.

    Source

    • Are these rules somehow embedded in the system or are they just recommendations? Those. If I do not consider these parameters, then an error should be displayed? - Ilya Starikov
    • @ Ilya Starikov I don’t know if there is any special setting, but my oracle 11g doesn’t give any errors even if you make a password of one letter - Mike

    Simply put, like this:

    1) Create a function that will check the password complexity.

    CREATE OR REPLACE FUNCTION my_verify_function (username varchar2, password varchar2, old_password varchar2) RETURN boolean IS BEGIN ... END;

    2) Create a profile and specify this function in it. Please note - other password check options: lifetime, number of attempts, the ability to reuse past passwords - all this can be set outside the password verification function.

     CREATE PROFILE my_profile LIMIT FAILED_LOGIN_ATTEMPTS 3 PASSWORD_LIFE_TIME 30 PASSWORD_REUSE_TIME 30 PASSWORD_REUSE_MAX 10 PASSWORD_VERIFY_FUNCTION my_verify_function PASSWORD_LOCK_TIME 1/24 PASSWORD_GRACE_TIME 10;

    3) Assign profile to user.

     ALTER USER kot_obormot PROFILE my_profile;

    For details - to the documentation.