HomeOracle Passwords and User Accounts for Oracle Database XE
Passwords and User Accounts for Oracle Database XE
In this third part of a 10-part article series on securing Oracle Database XE, you'll learn about the role played by passwords and user accounts. This article is excerpted from chapter 31 of the book Beginning PHP and Oracle: From Novice to Professional, written by W. Jason Gilmore and Bob Bryla (Apress; ISBN: 1590597702).
Although a default installation of Oracle Database XE will automatically create a password file, there are occasions when you may need to re-create one if it is accidentally deleted or damaged. Theorapwd command will create a password file with a single entry for theSYSuser and other options, as noted, when you run theorapwd command without any options:
where file - name of password file (mand), password - password for SYS (mand), entries - maximum number of distinct DBA and force - whether to overwrite existing file (opt), OPERs (opt), There are no spaces around the equal-to (=) character.
Once you re-create the password file, you will have to grant theSYSDBAandSYSOPERprivileges to those database users who previously had those privileges. In addition, if the password you provide in theorapwd command is not the same password that theSYS account has in the database, you will have to change theSYS account’s password the next time you are connected to the database so that the password in the database and the password in the password file stay in sync.
The system initialization parameterREMOTE_LOGIN_PASSWORDFILEcontrols how the password file is used for the database instance. It has three possible values:NONE,SHARED, andEXCLUSIVE.
If the value isNONE, Oracle ignores any password file that exists. Any privileged users must be authenticated by other means, such as by operating system authentication, which is discussed in the next section.
With a value ofSHARED, multiple databases can share the same password file, but only theSYS user is authenticated with the password file, and the password forSYScannot be changed. As a result, this method is not the most secure, but it does allow a DBA to maintain more than one database with a singleSYSaccount.
Tip If you must use a shared password file, ensure that the password forSYSis at least eight characters long and includes a combination of alphabetic, numeric, and special characters to defend against a brute-force attack.
A value ofEXCLUSIVEbinds the password file to only one database; other database user accounts can exist in the password file. As soon as you create the password file, use this value to maximize the security ofSYSDBAorSYSOPERconnections.
The dynamic performance viewV$PWFILE_USERSlists all the database users who have eitherSYSDBAorSYSOPERprivileges, as shown here: