ALTER PROFILE IN ORACLE

posted Jan 13, 2011, 7:14 AM by Sachchida Ojha
ALTER PROFILE "DBLINK" LIMIT FAILED_LOGIN_ATTEMPTS UNLIMITED

Oracle password profile security syntax


Oracle password security is implemented via Oracle "profiles" which are assigned to users.  Here is the Oracle security profile syntax:

   ALTER PROFILE profile_name LIMIT pw_limit(s) range

where:

  pw_limit = PASSWORD_LIFE_TIME
             PASSWORD_GRACE_TIME
             PASSWORD_REUSE_TIME
             PASSWORD_REUSE_MAX
             FAILED_LOGIN_ATTEMPTS
             PASSWORD_LOCK_TIME

   range  =  UNLIMITED | DEFAULT | expression
 

We start by creating security "profiles" in Oracle and then alter the user to belong to the profile group.  Here is psuedocode for creating a profile:

create profile
   all_users
limit
   PASSWORD_LIFE_TIME 365
   PASSWORD_GRACE_TIME 10
   PASSWORD_REUSE_TIME UNLIMITED
   PASSWORD_REUSE_MAX 0
   FAILED_LOGIN_ATTEMPTS 3
   PASSWORD_LOCK_TIME UNLIMITED;

create user fred identified by flintstone profile all_users;

We see the following "alter profile" parameters, which are invoked as;

alter profile
   finance_user
set
   failed_login_attempts = 4;

Oracle password security profile parameters

Here are the password security parameters:

  • failed_login_attempts - This is the number of failed login attempts before locking the Oracle user account. The default is three failed attempts.
     

  • password_grace_time - This is the grace period after the password_life_time limit is exceeded.
     

  • password_life_time - This is how long an existing password is valid. The default here forces a password change every 60 days.
     

  • password_lock_time – This specifies how long to lock the account after the failed login attempts is met. Most DBA’s set this value to UNLIMITED.
     

  • password_reuse_max – This is the number of times that you may re-user a passwords and is intended to prevent repeating password cycles (north, south, east, west).
     

  • password_reuse_time – This parameter specifies a time limit before a previous password can be re-entered. To allow unlimited use of previously used passwords, set password_reuse_time to UNLIMITED.
     

  • password_verify_function - This allows you to specify the name of a custom password verification function.

Oracle Password Security with Biometrics

When using Oracle Biometrics and facial recognition to enforce the identity of an Oracle user we acknowledge that failed login attempts will be very rare because the user/password combination will be fed by the security software and the end-user will never know the actual value of their username or their Oracle password.  Hence:

  • The Oracle passwords can be very strong (8 characters, with numbers).
     

  • Password changes will be cumbersome because the biometric software must be changed.
     

  • Account lockdown must be harsh because there will never be a username with an invalid password coming from the biometrics (facial recognition, fingerprint reader).

Hence we want user profile that force a very strong password, keep the password for a long time, and complain loudly of there is a username is disabled for failed password attempts:

create profile
   all_biometric_users
limit
   PASSWORD_LIFE_TIME UNLIMITED,
   PASSWORD_GRACE_TIME 0,
   PASSWORD_REUSE_TIME UNLIMITED,
   PASSWORD_REUSE_MAX 0,
   FAILED_LOGIN_ATTEMPTS 3,
   PASSWORD_LOCK_TIME UNLIMITED;


Comments