Configuring Password Protection
SCOTT
Then change the passwords for any accounts that the DBA_USERS_WITH_DEFPWD view lists: ALTER USER scott IDENTIFIED BY password;
Replace password with a password that is secure. "How Oracle Database Checks the Complexity of Passwords" on page 3-7 describes the minimum requirements for passwords.
Account Locking When a user exceeds a designated number of failed login attempts, the server automatically locks that user account. You can specify the permissible number of failed login attempts by using the CREATE PROFILE statement. You can also specify the amount of time accounts remain locked. Example 3–1 sets the maximum number of failed login attempts for the user johndoe to 10 (the default), and the amount of time the account locked to 30 days. The account will unlock automatically after 30 days. Example 3–1 Locking an Account with the CREATE PROFILE Statement CREATE PROFILE prof LIMIT FAILED_LOGIN_ATTEMPTS 10 PASSWORD_LOCK_TIME 30; ALTER USER johndoe PROFILE prof;
Each time the user unsuccessfully logs in, Oracle Database increases the delay exponentially with each login failure. If you do not specify a time interval for unlocking the account, then PASSWORD_ LOCK_TIME assumes the value specified in a default profile. (The recommended value is 1 day.) If you specify PASSWORD_LOCK_TIME as UNLIMITED, then you must explicitly unlock the account by using an ALTER USER statement. For example, assuming that PASSWORD_LOCK_TIME UNLIMITED is specified for johndoe, then you use the following statement to unlock the johndoe account: ALTER USER johndoe ACCOUNT UNLOCK;
After a user successfully logs into an account, Oracle Database resets the unsuccessful login attempt count for the user, if it exists, to 0. The security officer can also explicitly lock user accounts. When this occurs, the account cannot be unlocked automatically, and only the security officer should unlock the account. The CREATE USER or ALTER USER statements explicitly lock or unlock user accounts. For example, the following statement locks the user account, susan: ALTER USER susan ACCOUNT LOCK;
Password Aging and Expiration You can specify a password lifetime, after which the password expires and must be changed before logging into the account is permitted again. In addition, you can set a grace period, during which each attempt to log in to the database account receives a warning message to change the password. If the user does not change it by the end of that period, then Oracle Database expires the account. No further logins to that account are allowed without assistance by the database administrator.
3-4
Oracle Database Security Guide