There is no need to discuss this point any more one of the most Security breaches happened because weak password, can you guess most popular passwords, I provide list for the most common password all the time is your one of them ?
Simple steps keep you away in the safe side, No need for software or third party products to change your password in Database 10g, 11g Oracle provide to new features. Noted that what work on 10g is working on 11g.
Oracle Database 10g
In database 10g Oracle provide an example for password verifications functions you can write you own code and you can use
This function must be created in SYS schema, when you run the script you enable the following:
• alters the default parameters for Password Management this mean all the users on the system have Password Management
• sets the default password resource parameters
• Function makes the minimum complexity checks like minimum length of the password.
Sqlplus / as sysdba
Create new user after run the utlpwdmg.sql script.
SQL> create user test identified by test;
create user test identified by test
ERROR at line 1:
ORA-28003: password verification for the specified password failed
ORA-20001: Password same as or similar to user
SQL> create user test identified by test_oracle123 ;
At least we insure that no more easy password, as mention before you can create your own code or trigger.
CREATE OR REPLACE FUNCTION paasword_check (
RETURN BOOLEAN AS
IF LENGTH (password) < 10 THEN
After run the above function under SYS schema you should assign it to specific profile. Let me describe step by step.
1- Create profile
CREATE PROFILE New_profile LIMIT
Check if profile created.
SQL> select profile from dba_profiles where profile = ‘NEW_PROFILE’;
2- Assign verify_function to New_profile
SQL> ALTER PROFILE new_profile LIMIT
3- Change User profile
SQL> alter user scott profile NEW_profile ;
Now you are creating user with verification password and profile to with password conditions, all this to make sure that user will not be able to choose weak password.
You need to generate strong password and nothing came to your mind one of the most amazing website that help you to do that is
http://www.randpass.com/. Just choose length for the password.
Example of Generated password by random password sites:
Oracle Database 11g
Earlier in 11g Version Oracle Provide new parameter which control case sensitive for Password , I consider this is amazing adding for database , its dose not exists in 10g but you can there’s difference between oracle and ORACLE as Password .
Since this book is concern about oracle security I will post every example I can to prove the best to secure your database.
SQL> show parameter case;
NAME TYPE VALUE
——————————— ———– ——————————
sec_case_sensitive_logon boolean FALSE
By default this parameter is set to TRUE, to ensure securing your password, I include demonstrate to let you understand this parameter as well.
From the above the parameter is set to FALSE
SQL> Create user test identified by test;
SQL> grant create session to test ;
Let’s try to connect using test user once as “test” and “TEST”
SQL> conn test/test ;
SQL> conn test/TEST;
There’s no difference Between Sensitivity for the password. But I will set CASE_SENSITIVE Parameter to TRUE and try again After change password for test user.
SQL> alter system set sec_case_sensitive_logon=TRUE scope=memory;
SQL> alter user test identified by TEST;
Let’s try to connect this time using Test User.
SQL> conn test/test ;
ORA-01017: invalid username/password; logon denied
But Using “TEST”
SQL> conn test/TEST ;
This parameter consider as important feature for security, you can create your own complex password to ensure protecting your data, Weak password is one of the most important threats, reduce hacking start with simple basic steps.
3 thoughts on “The Effect of the Weak Password”
Password function in the profile is indeed a great add on. The case sensitivity is often switched off here to be honest. Great article. Keep Blogging!
There's lot of tips that you can do to secure database before start looking for products one them is this. Wait In my next article about how to hack oracle password
You got a really useful blog I have been here reading for about an hour. I am a newbie and your success is very much an inspiration for me.Oracle Goldengate