Password Management Enhancements in Oracle 11g
Posted by decipherinfosys on January 28, 2008
Starting with Oracle 11g, passwords have become case sensitive, provided you choose to upgrade to “new security standards” during the database creation. Before 11g, database passwords were case insensitive. One can connect to user using password in upper case, lower case or mixed case no matter how it is created. But starting 11g, it is not the same. We already have a user decipher defined in our database. We will alter it to start with.
SQL> alter user decipher identified by DECIPHER;
Now let us try to connect to user using lower case password.
SQL> connect decipher/decipher@orcl
ORA-01017: invalid username/password; logon denied
Now if we try to connect to user using lower case password, connection will be successful.
SQL> connect decipher/DECIPHER@orcl
There is an option to change behavior to make it case insensitive. There is a system parameter which can be set to true or false. Setting it to false, will change behavior to case insensitive. We need to connect as sysdba to alter the value of the parameter.
SQL> ALTER SYSTEM SET SEC_CASE_SENSITIVE_LOGON=FALSE;
Now we can try to connect to user using any combination of the case.
SQL> conn decipher/DECipher@orcl
There is also new data dictionary view DBA_USERS_WITH_DEFPWD which indicates which users have default passwords. Prior to 11g, there was no straight forward way to check the users with default passwords. Querying this view, we can know what users have default passwords which could be a security threat.
SQL> SELECT username FROM dba_users_with_defpwd;
Once we change the user’s default password to a non-default password, it will no longer display in this view.
Sorry, the comment form is closed at this time.