5 Replies Latest reply on Mar 2, 2007 5:47 AM by Madrid

    I need Oracle user passwords expire every 120 days

      I need Oracle user passwords expire every 120 days. How can I do it?
        • 1. Re: I need Oracle user passwords expire every 120 days
          Create a profile with password expiration time of 120 days and assign users to that profile.
          • 2. Re: I need Oracle user passwords expire every 120 days
            Oscar de la Torre-Oracle
            If you mean Oracle users (database users) then use a profile.
            If you mean OS user who runs oracle, it depends on your OS.
            • 3. Re: I need Oracle user passwords expire every 120 days

              You can do this by setting the profiles..
              ===here some overiew of profiles ===
              You can get an idea about scripting Oracle password security profiles by examining Oracle's utlpwdmg.sql script located in $ORACLE_HOME/rdbms/admin/utlpwdmg.sql.

              The script notes:

              Rem utlpwdmg.sql
              . . .
              Rem utlpwdmg.sql - script for Default Password Resource Limits
              . . .
              -- This script sets the default password resource parameters
              -- This script needs to be run to enable the password features.
              -- However the default resource parameters can be changed based
              -- on the need.
              -- A default password complexity function is also provided.
              -- This function makes the minimum complexity checks like
              -- the minimum length of the password, password not same as the
              -- username, etc. The user may enhance this function according to
              -- the need.
              -- This function must be created in SYS schema.
              -- connect sys/ as sysdba before running the script

              Oracle password profile security syntax

              Oracle password security is implemented via Oracle "profiles" which are assigned to users. Here is the Oracle security profile syntax:

              ALTER PROFILE profile_name LIMIT pw_limit(s) range


              pw_limit = PASSWORD_LIFE_TIME

              range = UNLIMITED | DEFAULT | expression

              We start by creating security "profiles" in Oracle and then alter the user to belong to the profile group:

              create profile
              PASSWORD_LIFE_TIME = 365,
              PASSWORD_GRACE_TIME = 10,
              PASSWORD_REUSE_MAX = 0,
              FAILED_LOGIN_ATTEMPTS = 3,

              create user fred identified by flintstone profile finance_user;

              We see the following "alter profile" parameters, which are invoked as;

              alter profile
              failed_login_attempts = 4;

              Oracle password security profile parameters

              Here are the password security parameters:

              * failed_login_attempts - This is the number of failed login attempts before locking the Oracle user account. The default is three failed attempts.

              * password_grace_time - This is the grace period after the password_life_time limit is exceeded.

              * password_life_time - This is how long an existing password is valid. The default here forces a password change every 60 days.

              * password_lock_time – This specifies how long to lock the account after the failed login attempts is met. Most DBA’s set this value to UNLIMITED.

              * password_reuse_max – This is the number of times that you may re-user a passwords and is intended to prevent repeating password cycles (north, south, east, west).

              * password_reuse_time – This parameter specifies a time limit before a previous password can be re-entered. To never allow a re-used password set password_reuse_time to UNLIMITED.

              * password_verify_function - This allows you to specify the name of a custom password verification function.

              • 4. Re: I need Oracle user passwords expire every 120 days
                you also need to enable resource_limit parameter. like:

                ALTER SYSTEM SET RESOURCE_LIMIT = TRUE scope=both;
                • 5. Re: I need Oracle user passwords expire every 120 days
                  Resource_limit=true is required to activate the 'KERNEL' resource type of the profile. The PASSWORD resource type is alway active, it's enough to declare a value different from the UNLIMITED default.