‘Default’ Password Profile Configuration
Dear All,
I was requested by auditor to update my oracle database 'default' profile
- PASSWORD_REUSE_TIME Unlimited
- PASSWORD_REUSE_MAX Unlimited
- PASSWORD_VERIFY_FUNCTION UnlimitedOthers checks
- Concurrent Sessions Unlimited
- Login Attempts Unlimited
- Connect Time Unlimited
- Idle Time Unlimited
- Composite Time Unlimited
Implication (Auditor)
Lack of implementation of appropriate password configurations may lead to compromise of passwords through different password attacks including dictionary attacks (which attempt to use common words and phrases) and brute force attacks (which try every possible combination of characters). These attacks can lead to unauthorised access to critical data.
Recommendation (Auditor)
It is recommended that the management should define the security parameters and implement them accordingly as per industry best practices