Q
Problem solve Get help with specific problems with your technologies, process and projects.

Disallowing obvious passwords

We are currently using Oracle's password function (utlpwdmg.sql, edited) verify_function as part of security in a 9i database. I would like to go further and disallow several hundred obvious passwords (e.g., password#1) that could still meet verification standards.

We are currently using Oracle's password function (utlpwdmg.sql, edited) verify_function as part of security in a 9i database. I would like to go further and disallow several hundred obvious passwords (e.g., password#1) that could still meet verification standards. The obvious way is to add these words to the -20002 section that checks if it is too simple. However the function also says that a dictionary of words can be maintained, and to that end I have created a table. Can you assist and show me how I reference this from the verify_function instead of the usual (password) IN ('welcome', 'blah1', 'blah2')?
You'll need to do a little recoding of your password verification function. Store all of your words in a table in the database. I'm going to assume that these words are in the BAD_WORD column of the BAD_PASSWORDS table. In the declaration section of the password verification function declare a NUMBER variable that we'll call BAD_COUNT. Now for the easy part; add code similar to the following to your password verification function:
-- Get the number of times the new password is found in the BAD_PASSWORDS table
SELECT COUNT(*) INTO bad_count FROM bad_passwords
WHERE bad_word = new_password;

-- If count = 0, then new password not in the table, else count at least 1. 
IF bad_count > 0 THEN RAISE APPLICATION ERROR (-20002,'Cannot use a simple word for the password');
To add a new "bad" word, simply insert the word into the table. There will be no need to recode the password verification function.
This was last published in March 2006

Dig Deeper on Oracle database design and architecture

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchDataManagement

SearchBusinessAnalytics

SearchSAP

SearchSQLServer

TheServerSide.com

SearchDataCenter

SearchContentManagement

SearchHRSoftware

Close