CREATE PROFILE myprofile LIMIT FAILED_LOGIN_ATTEMPTS 5 PASSWORD_LOCK_TIME 1;Users assigned to this profile will be locked out of theiraccounts after five login attempts with an incorrect password. The account willbe inaccessible for one day or until a DBA issues this command:
ALTER USER
ALTER PROFILE myprofile LIMIT PASSWORD_LIFE_TIME 30 PASSWORD_GRACE_TIME 3;Users assigned to that profile will be locked out of theiraccounts 30 days after the last time the password is changed. After 30 days,attempting to log in will result in warning messages for three more days beforethe account is locked.
Many users will see these limits and simply try to resettheir passwords to what they were previously using rather than using a newpassword each time. You can prevent users from reusing a password with thePASSWORD_REUSE_TIME and PASSWORD_REUSE_MAX tags.
ALTER PROFILE myprofile LIMIT PASSWORD_REUSE_TIME 30 PASSWORD_REUSE_MAX 100;Users with this profile will not be able to reuse a passwordfor 30 days, or until after they change the password 100 times.
Finally, some users will use passwords that are easy toguess. It's possible to restrict a password's format (such as checking for aminimum width, letters, numbers, or mixed case, or verifying that the passwordisn't a variation of the username) by creating a PL/SQL procedure thatvalidates passwords. You must format the procedure like this:
CREATE OR REPLACE FUNCTION verify_password( useridvarchar(30), password varchar(30), old_passwordvarchar(30)) RETURN BOOLEAN…You can assign this function (which can be any name, but itmust be owned by the SYS account) with the following:
ALTER PROFILE myprofile LIMIT PASSWORD_VERIFY_FUNCTION verify_password;
No comments:
Post a Comment