Standards for Passwords
Many children have clubs in which a secret word is used to gain entry to the clubhouse. In my club, the password was hobgoblin. Since no one but our group knew the secret word, we could feel pretty confident that someone saying hobgoblin at our clubhouse door was a member to be allowed in. Operating systems and the Oracle database use passwords in much the same way.
When you are developing your database security plan, you’ll need to make a number of decisions about password use at your site:
Whether a user will be permitted to create and change his own password
How frequently the password will expire and how long a grace period will be allowed before the account is locked
Whether a set standard for password composition is to be used, and what that composition will be
Whether account lockout will be enabled, whether the account can be automatically unlocked, or whether a security manager will have to intervene to unlock a locked account
Whether a password will be permitted to be reused, and what length of time must pass before a password can be reused
How the user or designated account manager will actually change the password—through a created form, through a SQL script, etc.
If users will not be permitted to change their own passwords, the mechanism by which users will be notified of password changes
The decision to enforce a specific pattern for passwords raises the question of just how secure the password will really be since anyone who knows ...