Home arrow Oracle arrow Profiles, Password and Resource Control for Oracle Database XE

Profiles, Password and Resource Control for Oracle Database XE

In this fifth part of a ten-part series on securing Oracle Database XE, you'll learn about profiles as they pertain to password and resource control. This article is excerpted from chapter 31 of the book Beginning PHP and Oracle: From Novice to Professional, written by W. Jason Gilmore and Bob Bryla (Apress; ISBN: 1590597702).

  1. Profiles, Password and Resource Control for Oracle Database XE
  2. Profiles and Resource Control
By: Apress Publishing
Rating: starstarstarstarstar / 2
January 06, 2011

print this article



Profiles and Password Control

Table 31-3 shows the password-related profile parameters. All units of time are specified in days (e.g., to specify any of these parameters in minutes, divide by 1440):

SQL> create profile lim_lock limit password_lock_time 5/1440;
Profile created.

In this example, an account will only be locked for five minutes after the specified number of login failures.

Table 31-3. Password-Related Profile Parameters  


Password Parameter



The number of failed login attempts before the account is locked.


The number of days the password can be used before it must be changed. If it is not changed within PASSWORD_GRACE_TIME, the password must be changed before logins are allowed.


The number of days a user must wait before reusing a password; this parameter is used in conjunction with PASSWORD_REUSE_MAX.


The number of password changes that have to occur before a password can be reused; this parameter is used in conjunction with PASSWORD_REUSE_TIME.


The number of days the account is locked after FAILED_LOGIN_ ATTEMPTSattempts. After this time period, the account is automatically unlocked.


The number of days after which an expired password must be changed. If it is not changed within this time period, the account is expired and the password must be changed before the user can log in successfully.


A PL/SQL script to provide an advanced password-verification routine. If NULLis specified (the default), no password verification is performed.


A parameter value ofUNLIMITEDmeans that there is no limit on how much of the given resource can be used.DEFAULT means that this parameter takes its values from theDEFAULTprofile.

The parametersPASSWORD_REUSE_TIMEandPASSWORD_REUSE_MAXmust be used together; setting one without the other has no useful effect. In the following example, we create a profile that setsPASSWORD_REUSE_TIMEto 20 days andPASSWORD_REUSE_MAXto 5:

create profile lim_reuse_pass limit  
assword_reuse_time 20
password_reuse_max 5;

Users with this profile can reuse their passwords after 20 days if the password has been changed at least five times. If you specify a value forPASSWORD_REUSE_TIMEorPASSWORD_REUSE_MAX, andUNLIMITEDfor the other, a user can never reuse a password.

If you want to provide tighter control over how passwords are created and reused, such as using a mixture of uppercase and lowercase characters in every password, you need to enable thePASSWORD_VERIFY_FUNCTIONlimit in each applicable profile. Oracle provides a template for enforcing an organizationís password policy. Itís located in$ORACLE_HOME/rdbms/admin/utlpwdmg.sql. The script provides the following functionality for password complexity:

  1. Ensures that the password is not the same as the username
  2. Ensures that the password is at least four characters long 
  3. Checks to make sure the password is not a simple, obvious word, such asORACLE orDATABASE 
  4. Requires that the password contains one letter, one digit, and one punctuation mark 
  5. Ensures that the password is different from the previous password by at least three characters

To use this policy, the first step is to make your own custom changes to this script. For example, you may wish to have several different verify functions, one for each country or business unit, to match the database password complexity requirements to that of the operating systems in use in a particular country or business unit. Therefore, you can rename this function asVERIFY_FUNCTION_US_WESTCOAST, for example. In addition, you might want to change the list of simple words to include names of departments or buildings at your company.

>>> More Oracle Articles          >>> More By Apress Publishing

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort


- Oracle Java Security Woes Continue
- Oracle's New IaaS Cloud Option: There's a Ca...
- Oracle Acquires Eloqua to Boost Cloud Presen...
- Choosing Innovation: Oracle Survey Insights
- Oracle Fixes Privilege Escalation Bug
- Oracle`s Communications Service Availability...
- Oracle Releases Exalytics, Taleo Plans
- Oracle Releases Communications Network Integ...
- Oracle Releases Communications Data Model 11...
- Oracle Releases PeopleSoft PeopleTools 8.52
- Oracle Integrates Cloudera Apache Distro, My...
- Oracle Releases MySQL 5.5.18
- Oracle Announces NoSQL Database Availability
- Sorting Database Columns With the SELECT Sta...
- Retrieving Table Data with the LIKE Operator

Developer Shed Affiliates


Dev Shed Tutorial Topics: