Systems Engineering and RDBMS

Password Management Enhancements in Oracle 11g

Posted by decipherinfosys on January 28, 2008

Starting with Oracle 11g, passwords have become case sensitive, provided  you choose to upgrade to “new security standards” during the database creation. Before 11g, database passwords were case insensitive. One can connect to user using password in upper case, lower case or mixed case no matter how it is created. But starting 11g, it is not the same. We already have a user decipher defined in our database. We will alter it to start with.

SQL> alter user decipher identified by DECIPHER;

User altered.

Now let us try to connect to user using lower case password.

SQL> connect decipher/decipher@orcl
ERROR:
ORA-01017: invalid username/password; logon denied

Now if we try to connect to user using lower case password, connection will be successful.

SQL> connect decipher/DECIPHER@orcl
Connected.

There is an option to change behavior to make it case insensitive. There is a system parameter which can be set to true or false. Setting it to false, will change behavior to case insensitive. We need to connect as sysdba to alter the value of the parameter.

SQL> ALTER SYSTEM SET SEC_CASE_SENSITIVE_LOGON=FALSE;

System altered.

Now we can try to connect to user using any combination of the case.

SQL> conn decipher/DECipher@orcl
Connected.

There is also new data dictionary view DBA_USERS_WITH_DEFPWD which indicates which users have default passwords. Prior to 11g, there was no straight forward way to check the users with default passwords.   Querying this view, we can know what users have default passwords which could be a security threat.

SQL> SELECT username FROM dba_users_with_defpwd;

USERNAME
——————————
DIP
MDSYS
WK_TEST
CTXSYS
OUTLN
EXFSYS
SCOTT
MDDATA
ORDPLUGINS
ORDSYS
XDB

Once we change the user’s default password to a non-default password, it will no longer display in this view.

Sorry, the comment form is closed at this time.

 
%d bloggers like this: