Pete Finnigan's Oracle Security Forum (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
Oracle Security >> Oracle Security >> Subject: Oracle 7 – Password Enforcement
(Message started by: Pete Finnigan on Feb 9th, 2006, 1:21am)

Title: Subject: Oracle 7 – Password Enforcement
Post by Pete Finnigan on Feb 9th, 2006, 1:21am
Within an article written by Jared Still (15 April 2005) www.orafaq.com/articles/archives/000064.htm - (broken link) the following comment is made:

“As long ago as Version 8.0 Oracle has had the ability to create a user profile in the database with a function associated with it that could force users to adhere to password policy.”

Does this imply that Oracle 7 does not have the technical functionality to force users to adhere to password policy?  And if not, are there any tools or tricks that can be applied with Oracle 7 to force users to adhere to password security policy?

Title: Re: Subject: Oracle 7 – Password Enforcement
Post by Pete Finnigan on Feb 9th, 2006, 6:17pm
Hi Dale,

Oracle 7 does not support password management. If Kev is online he may be able to help as he was involved in password management for earlire versions of Oracle.

cheers

Pete

Title: Re: Subject: Oracle 7 – Password Enforcement
Post by Pete Finnigan on Feb 10th, 2006, 11:05am
Hi Dale.

You are right. There was no password management in V7.

I was involved in the development and support of a Password Manager product by a company called BrainTree Security for many years. The issue was always that there were no hooks from a standard Oracle login to enforce password aging, and the Password Manager could age passwords, but only force the user to change his password if the application was modified to call Password Manager.

The best that we could do otherwise was email the user telling him that the password was about to expire.

Password Manager was merged into NetIQ's Vigilant Agent for Oracle product about 4 years ago, and went end of life last year. I am not aware of anything else that can age passwords at the DB level in V7.

The issue was that until profiles came along, there was no record kept of when the password was changed, so you couldn't find out how old it was. There was also no method of checking the quality of the password. We could only handle it by doing the password changes through our own procedure, and that didn't stop someone changing the password via standard ALTER commands.

There is a spin off product called AppliGuard which does password controls for web based applications, but also has an API which can be used to enforce password aging, but only via the api calls. This is now marketed and supported by Blue Cube Security (UK).

Hope this helps.

Kevin Else
NoFools Ltd



Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board