This is an update to one of my very first posts, bringing it up to date to reflect current password verification techniques for Oracle 19c.
One of the most common attack vectors for any hacker is checking to see if you have reset default passwords on service and administrator accounts. Almost every piece of hardware or software comes with some default way to login the first time, and a lot of people are really bad at changing those credentials to be more secure. Oracle databases and DBAs are no exception...
Applications must obscure feedback of authentication information; when using command-line tools such as Oracle SQL*Plus, which can accept a plain-text password, users must use an alternative logon method that does not expose the password.
Increasingly we are asked to provide more secure passwords for accounts of all kinds. As I have written previously, because coming up with new ones that meet all complexity requirements can be a real pain, I try to avoid passwords whenever possible in favor of PKE authentication. Sometimes, however, they are unavoidable.
I was perusing (yes, "perusing") the My Oracle Support Community Database Administration posts recently when I came across this one: "How to hide oracle database account password in a create user sql script". The poster had a problem that every database administrator has had to confront at one time or another: namely, how to embed a … Continue reading How to hide Oracle passwords in a script?
One of the most problematic STIG checklist items is this one: Rule Title: Database account passwords should be stored in encoded or encrypted format whether stored in database objects, external host files, environment variables or any other storage locations. STIG ID: DG0067-ORACLE11 Rule ID: SV-24641r1_rule Vuln ID: V-3812 Severity: CAT I Vulnerability Discussion: Database passwords stored … Continue reading Database Account Password Storage
One area that Oracle has made a lot easier over the years is the enforcement of password strength criteria. Oracle's documentation contains a detailed example on how to create a password verification function and attach it to user profiles. One thing I have found useful to add to their basic criteria, besides making them generally … Continue reading Password Strength