This is an update to one of my very first posts, bringing it up to date to reflect current password verification techniques for Oracle 19c.
One of the most common attack vectors for any hacker is checking to see if you have reset default passwords on service and administrator accounts. Almost every piece of hardware or software comes with some default way to login the first time, and a lot of people are really bad at changing those credentials to be more secure. Oracle databases and DBAs are no exception...
Increasingly we are asked to provide more secure passwords for accounts of all kinds. As I have written previously, because coming up with new ones that meet all complexity requirements can be a real pain, I try to avoid passwords whenever possible in favor of PKE authentication. Sometimes, however, they are unavoidable.
I was perusing (yes, "perusing") the My Oracle Support Community Database Administration posts recently when I came across this one: "How to hide oracle database account password in a create user sql script". The poster had a problem that every database administrator has had to confront at one time or another: namely, how to embed a … Continue reading How to hide Oracle passwords in a script?
One area that Oracle has made a lot easier over the years is the enforcement of password strength criteria. Oracle's documentation contains a detailed example on how to create a password verification function and attach it to user profiles. One thing I have found useful to add to their basic criteria, besides making them generally … Continue reading Password Strength