Standards for Passwords

Many children have clubs in which a secret word is used to gain entry to the clubhouse. In my club, the password was hobgoblin. Since no one but our group knew the secret word, we could feel pretty confident that someone saying hobgoblin at our clubhouse door was a member to be allowed in. Operating systems and the Oracle database use passwords in much the same way.

Password Decisions

When you are developing your database security plan, you’ll need to make a number of decisions about password use at your site:

  • Whether a user will be permitted to create and change his own password

  • How frequently the password will expire and how long a grace period will be allowed before the account is locked

  • Whether a set standard for password composition is to be used, and what that composition will be

  • Whether account lockout will be enabled, whether the account can be automatically unlocked, or whether a security manager will have to intervene to unlock a locked account

  • Whether a password will be permitted to be reused, and what length of time must pass before a password can be reused

  • How the user or designated account manager will actually change the password—through a created form, through a SQL script, etc.

  • If users will not be permitted to change their own passwords, the mechanism by which users will be notified of password changes

The decision to enforce a specific pattern for passwords raises the question of just how secure the password will really be since anyone who knows ...

Get Oracle Security now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.