ALTER PROFILE "DBLINK" LIMIT FAILED_LOGIN_ATTEMPTS UNLIMITED
password profile security syntax
Oracle password security
is implemented via Oracle "profiles" which are assigned to users.
Here is the Oracle security profile syntax:
profile_name LIMIT pw_limit(s) range
pw_limit = PASSWORD_LIFE_TIME
range = UNLIMITED | DEFAULT |
by creating security "profiles" in Oracle and then alter the user to
belong to the profile group. Here is psuedocode for creating a
user fred identified by flintstone profile all_users;
the following "alter profile" parameters, which are invoked as;
failed_login_attempts = 4;
password security profile parameters
the password security parameters:
failed_login_attempts - This is the number of failed login
attempts before locking the Oracle user account. The default is
three failed attempts.
password_grace_time - This is the grace period after the
password_life_time limit is exceeded.
password_life_time - This is how long an existing password
is valid. The default here forces a password change every 60
password_lock_time – This specifies how long to lock the
account after the failed login attempts is met. Most DBA’s set
this value to UNLIMITED.
password_reuse_max – This is the number of times that you
may re-user a passwords and is intended to prevent repeating
password cycles (north, south, east, west).
password_reuse_time – This parameter specifies a time limit
before a previous password can be re-entered. To allow unlimited
use of previously used passwords, set password_reuse_time
password_verify_function - This allows you to specify the
name of a custom password verification function.
Password Security with Biometrics
Biometrics and facial recognition to enforce the identity of an
Oracle user we acknowledge that failed login attempts will be very
rare because the user/password combination will be fed by the
security software and the end-user will never know the actual value
of their username or their Oracle password. Hence:
passwords can be very strong (8 characters, with numbers).
changes will be cumbersome because the biometric software must
lockdown must be harsh because there will never be a username
with an invalid password coming from the biometrics (facial
recognition, fingerprint reader).
Hence we want user
profile that force a very strong password, keep the password for a
long time, and complain loudly of there is a username is disabled
for failed password attempts: