5 Replies Latest reply on Mar 2, 2007 5:47 AM by Madrid

    I need Oracle user passwords expire every 120 days

    443882
      I need Oracle user passwords expire every 120 days. How can I do it?
        • 1. Re: I need Oracle user passwords expire every 120 days
          427367
          Create a profile with password expiration time of 120 days and assign users to that profile.
          • 2. Re: I need Oracle user passwords expire every 120 days
            Oscar de la Torre-Oracle
            If you mean Oracle users (database users) then use a profile.
            If you mean OS user who runs oracle, it depends on your OS.
            • 3. Re: I need Oracle user passwords expire every 120 days
              Raman
              Hi,

              You can do this by setting the profiles..
              Thanks
              --Raman
              ===here some overiew of profiles ===
              You can get an idea about scripting Oracle password security profiles by examining Oracle's utlpwdmg.sql script located in $ORACLE_HOME/rdbms/admin/utlpwdmg.sql.

              The script notes:

              Rem utlpwdmg.sql
              . . .
              Rem utlpwdmg.sql - script for Default Password Resource Limits
              . . .
              -- This script sets the default password resource parameters
              -- This script needs to be run to enable the password features.
              -- However the default resource parameters can be changed based
              -- on the need.
              -- A default password complexity function is also provided.
              -- This function makes the minimum complexity checks like
              -- the minimum length of the password, password not same as the
              -- username, etc. The user may enhance this function according to
              -- the need.
              -- This function must be created in SYS schema.
              -- connect sys/ as sysdba before running the script

              Oracle password profile security syntax


              Oracle password security is implemented via Oracle "profiles" which are assigned to users. Here is the Oracle security profile syntax:

              ALTER PROFILE profile_name LIMIT pw_limit(s) range

              where:

              pw_limit = PASSWORD_LIFE_TIME
              PASSWORD_GRACE_TIME
              PASSWORD_REUSE_TIME
              PASSWORD_REUSE_MAX
              FAILED_LOGIN_ATTEMPTS
              PASSWORD_LOCK_TIME

              range = UNLIMITED | DEFAULT | expression


              We start by creating security "profiles" in Oracle and then alter the user to belong to the profile group:

              create profile
              all_users
              limit
              PASSWORD_LIFE_TIME = 365,
              PASSWORD_GRACE_TIME = 10,
              PASSWORD_REUSE_TIME = UNLIMITED,
              PASSWORD_REUSE_MAX = 0,
              FAILED_LOGIN_ATTEMPTS = 3,
              PASSWORD_LOCK_TIME = UNLIMITED;

              create user fred identified by flintstone profile finance_user;

              We see the following "alter profile" parameters, which are invoked as;

              alter profile
              finance_user
              set
              failed_login_attempts = 4;

              Oracle password security profile parameters

              Here are the password security parameters:

              * failed_login_attempts - This is the number of failed login attempts before locking the Oracle user account. The default is three failed attempts.

              * password_grace_time - This is the grace period after the password_life_time limit is exceeded.

              * password_life_time - This is how long an existing password is valid. The default here forces a password change every 60 days.

              * password_lock_time – This specifies how long to lock the account after the failed login attempts is met. Most DBA’s set this value to UNLIMITED.

              * password_reuse_max – This is the number of times that you may re-user a passwords and is intended to prevent repeating password cycles (north, south, east, west).

              * password_reuse_time – This parameter specifies a time limit before a previous password can be re-entered. To never allow a re-used password set password_reuse_time to UNLIMITED.

              * password_verify_function - This allows you to specify the name of a custom password verification function.

              =============================
              • 4. Re: I need Oracle user passwords expire every 120 days
                ScottZheng
                you also need to enable resource_limit parameter. like:

                ALTER SYSTEM SET RESOURCE_LIMIT = TRUE scope=both;
                • 5. Re: I need Oracle user passwords expire every 120 days
                  Madrid
                  Resource_limit=true is required to activate the 'KERNEL' resource type of the profile. The PASSWORD resource type is alway active, it's enough to declare a value different from the UNLIMITED default.