Home > Ask the Oracle Database / Applications Experts > Oracle database design and architecture Questions & Answers > Disallowing obvious passwords
Ask The Oracle Expert: Questions & Answers
EMAIL THIS

Disallowing obvious passwords

Brian Peasland EXPERT RESPONSE FROM: Brian Peasland

Pose a Question
Other Oracle Categories
Meet all Oracle Experts
Become an Expert for this site


Oracle tips, scripts, and expert advice
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


>
QUESTION POSED ON: 02 March 2006
We are currently using Oracle's password function (utlpwdmg.sql, edited) verify_function as part of security in a 9i database. I would like to go further and disallow several hundred obvious passwords (e.g., password#1) that could still meet verification standards. The obvious way is to add these words to the -20002 section that checks if it is too simple. However the function also says that a dictionary of words can be maintained, and to that end I have created a table. Can you assist and show me how I reference this from the verify_function instead of the usual (password) IN ('welcome', 'blah1', 'blah2')?

>
You'll need to do a little recoding of your password verification function. Store all of your words in a table in the database. I'm going to assume that these words are in the BAD_WORD column of the BAD_PASSWORDS table. In the declaration section of the password verification function declare a NUMBER variable that we'll call BAD_COUNT. Now for the easy part; add code similar to the following to your password verification function: 
-- Get the number of times the new password is found in the BAD_PASSWORDS table
SELECT COUNT(*) INTO bad_count FROM bad_passwords
WHERE bad_word = new_password;

-- If count = 0, then new password not in the table, else count at least 1. 
IF bad_count > 0 THEN RAISE APPLICATION ERROR (-20002,'Cannot use a simple word for the password');
To add a new "bad" word, simply insert the word into the table. There will be no need to recode the password verification function.


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google



RELATED CONTENT
Oracle database design and architecture
How to use V$SEGMENT_STATISTICS to find the most accessed Oracle table
Can I install an Oracle client on Windows 7?
How to use the Oracle Database Upgrade Assistant (DBUA)
Can I specify Oracle column order in my database table?
Can I have a single Oracle 11g RAC instance across multiple databases?
How to use the Oracle export utility to duplicate database structure
How to choose the primary key columns in an Oracle table
Understanding the data archiving definition
How to plan Oracle Grid Control Repository maintenance
What Linux flavor should I use for my Linux proof of concept in Oracle?

Oracle database design and architecture
How to use V$SEGMENT_STATISTICS to find the most accessed Oracle table
Can I install an Oracle client on Windows 7?
How to use the Oracle Database Upgrade Assistant (DBUA)
Can I specify Oracle column order in my database table?
Can I have a single Oracle 11g RAC instance across multiple databases?
How to use the Oracle export utility to duplicate database structure
How to choose the primary key columns in an Oracle table
Understanding the data archiving definition
Review: Oracle's 11g R2 database has some good and bad
Scaling an Oracle database: What is the best strategy for you?

Oracle database security
Oracle delivers database fixes in Critical Patch Update
How to use DBMS_CRYPTO package for Oracle password encryption/hashing
How to decrypt an Oracle password using John the Ripper and checkpwd
How to use the CREATE SESSION command to track Oracle database logins
How to troubleshoot Oracle critical patch updates using OPatch
Can I automate Oracle patching when installing Oracle Standard Edition?
Is it possible to automate Oracle CPUs for a DoD project?
Three steps to help improve Oracle database security
Tips for auditing and securing database backups in Oracle
How to prevent a SQL injection attack in Oracle

RELATED GLOSSARY TERMS
Terms from Whatis.com − the technology online dictionary
E. F. Codd  (SearchOracle.com)
extent  (SearchOracle.com)
flexfield  (SearchOracle.com)
foreign key  (SearchOracle.com)
multidimensional database  (SearchOracle.com)
object-oriented database management system  (SearchOracle.com)
quad tree  (SearchOracle.com)
relational online analytical processing  (SearchOracle.com)
row  (SearchOracle.com)
splay tree  (SearchOracle.com)

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary



Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
Browse our Expert Advice



Oracle White Papers: Fusion Middleware
HomeNewsTopicsTipsAsk the ExpertsMultimediaWhite PapersProductsBlogs
About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts