4 Replies Latest reply: Sep 5, 2011 7:43 AM by Saurabh Gupta-OC RSS

    Password policy

    Saurabh Gupta-OC
      Dear friends,

      We want to implement password compliance policy and have some queries, request you to please suggest me on the below points:

      1) Users access database using - 'sqlplus userid/pwd@connectstring'
      here we can see the password, its not in astrick format, I want to disable db access in this way, I want user to put only 'sqlplus userid@connectstring' and then system will ask password that would be in astrick format. How can we implement this?

      2) As we know that any user can change their password, I want to revoke this privlege from all the users and only DBA can change their password, how it can be done?

      Requesting for your reply.

      Thanks.
        • 1. Re: Password policy
          Avinash Tripathi
          Hi,
          Hiding password with SQLPLUS is already supported, you do not need to do anything.
          C:\Users\at0022533>sqlplus hr@ORCL
          
          SQL*Plus: Release 11.2.0.1.0 Production on Fri Aug 26 13:30:12 2011
          
          Copyright (c) 1982, 2010, Oracle.  All rights reserved.
          
          Enter password:
          
          Connected to:
          Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - Production
          With the Partitioning, OLAP, Data Mining and Real Application Testing options
          
          SQL>
          2) As we know that any user can change their password, I want to revoke this privlege from all the users and only DBA can change their password, how it can be done?
          What you are trying to achieve here? If someone can login into the database and he/she knows the password then what you will achieve by restricting to change the password?

          Regards,
          Avinash
          • 2. Re: Password policy
            Saurabh Gupta-OC
            Basically the reason behind to restrict the users from changing their password is Single User Login system.
            We have DWH env and have a single user id/password and all the users are using same userid to login to the database.
            That is why we wanted to put a restriction that nobody will be able to change the password except DBA.

            I hope now it will be clear to you, Avinash.

            Thank You for your assistance.

            Edited by: 877938 on Aug 26, 2011 2:58 AM

            Edited by: 877938 on Aug 26, 2011 2:58 AM
            • 3. Re: Password policy
              Avinash Tripathi
              Hi,
              I think it is not a good idea to share one environment with all the users. How will you control if some user change anything and it has impact in entire application?

              I would suggest to create a DB account for all your users and give them necessary privilege (e.g. EXECUTE, SELECT) for your DW application.

              If you still want to restrict the users here is a work around.

              http://www.idevelopment.info/data/Oracle/DBA_tips/Security/SEC_2.shtml


              Regards,
              Avinash
              • 4. Re: Password policy
                Saurabh Gupta-OC
                Thanks Avinash.

                Thanks for sharing the solution, I have not tried it yet but looks really good.

                Will update you once I get time to implement this.

                Regards,
                Saurabh