oracle用户密码规则,Oracle 复杂用户密码规则设置

最新推荐文章于 2025-01-15 10:39:00 发布

花生妈

最新推荐文章于 2025-01-15 10:39:00 发布

阅读量1.3k

点赞数

文章标签： oracle用户密码规则

本文介绍了如何在Oracle数据库中启用和配置复杂的密码规则，包括创建验证函数和修改默认配置，以提高用户密码的安全性。通过示例展示了当密码不符合规则时系统给出的错误提示。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

在ORACLE中默认的密码规则是很宽松的，多么简单的密码都是可以被设置的。但是在一些对安全很敏感的环境下，我们最好开启ORACLE的复杂密码规则的功能。

下面我们来看看默认的ORACLE密码规则是什么样的：

[ora9i@db ora9i]$ sqlplus "/ as sysdba"

SQL*Plus: Release 9.2.0.8.0 - Production on Mon Apr 8 18:57:47 2013

Connected to:

Oracle9i Enterprise Edition Release 9.2.0.8.0 - Production

With the Partitioning, OLAP and Oracle Data Mining options

JServer Release 9.2.0.8.0 - Production

SQL> select * from dba_profiles where resource_name='PASSWORD_VERIFY_FUNCTION';

PROFILE RESOURCE_NAME RESOURCE LIMIT

------------------------------ -------------------------------- -------- ----------------------------------------

DEFAULT PASSWORD_VERIFY_FUNCTION PASSWORD NULL

PROFILE中的PASSWORD_VERIFY_FUNCTION是对ORACLE用户进行复杂密码规则设置的参数，参数的值被设置为进行密码规则验证的函数。

ORACLE之前已经为我们提供的一份密码规则蓝本，我们可以根据这个蓝本进行自定义的设置。

[ora9i@db ora9i]$ cat $ORACLE_HOME/rdbms/admin/utlpwdmg.sql

Rem

Rem $Header: utlpwdmg.sql 31-aug-2000.11:00:47 nireland Exp $

Rem

Rem utlpwdmg.sql

Rem

Rem NAME

Rem utlpwdmg.sql - script for Default Password Resource Limits

Rem

Rem DESCRIPTION

Rem This is a script for enabling the password management features

Rem by setting the default password resource limits.

Rem

Rem NOTES

Rem This file contains a function for minimum checking of password

Rem complexity. This is more of a sample function that the customer

Rem can use to develop the function for actual complexity checks that the

Rem customer wants to make on the new password.

Rem

Rem MODIFIED (MM/DD/YY)

Rem nireland 08/31/00 - Improve check for username=password. #1390553

Rem nireland 06/28/00 - Fix null old password test. #1341892

Rem asurpur 04/17/97 - Fix for bug479763

Rem asurpur 12/12/96 - Changing the name of password_verify_function

Rem asurpur 05/30/96 - New script for default password management

Rem asurpur 05/30/96 - Created

Rem

-- This script sets the default password resource parameters

-- This script needs to be run to enable the password features.

-- However the default resource parameters can be changed based

-- on the need.

-- A default password complexity function is also provided.

-- This function makes the minimum complexity checks like

-- the minimum length of the password, password not same as the

-- username, etc. The user may enhance this function according to

-- the need.

-- This function must be created in SYS schema.

-- connect sys/ as sysdba before running the script

CREATE OR REPLACE FUNCTION verify_function

(username varchar2,

password varchar2,

old_password varchar2)

RETURN boolean IS

n boolean;

m integer;

differ integer;

isdigit boolean;

ischar boolean;

ispunct boolean;

digitarray varchar2(20);

punctarray varchar2(25);

chararray varchar2(52);

BEGIN

digitarray:= '0123456789';

chararray:= 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';

punctarray:='!"#$%&()``*+,-/:;<=>?_';

-- Check if the password is same as the username

IF NLS_LOWER(password) = NLS_LOWER(username) THEN

raise_application_error(-20001, 'Password same as or similar to user');

END IF;

-- Check for the minimum length of the password

IF length(password) < 4 THEN

raise_application_error(-20002, 'Password length less than 4');

END IF;

-- Check if the password is too simple. A dictionary of words may be

-- maintained and a check may be made so as not to allow the words

-- that are too simple for the password.

IF NLS_LOWER(password) IN ('welcome', 'database', 'account', 'user', 'password', 'oracle', 'computer', 'abcd') THEN

raise_application_error(-20002, 'Password too simple');

END IF;

-- Check if the password contains at least one letter, one digit and one

-- punctuation mark.

-- 1. Check for the digit

isdigit:=FALSE;

m := length(password);

FOR i IN 1..10 LOOP

FOR j IN 1..m LOOP

IF substr(password,j,1) = substr(digitarray,i,1) THEN

isdigit:=TRUE;

GOTO findchar;

END IF;

END LOOP;

IF isdigit = FALSE THEN

raise_application_error(-20003, 'Password should contain at least one digit, one character and one punctuation');

END IF;

-- 2. Check for the character

ischar:=FALSE;

FOR i IN 1..length(chararray) LOOP

FOR j IN 1..m LOOP

IF substr(password,j,1) = substr(chararray,i,1) THEN

ischar:=TRUE;

GOTO findpunct;

END IF;

END LOOP;

IF ischar = FALSE THEN

raise_application_error(-20003, 'Password should contain at least one \

digit, one character and one punctuation');

END IF;

-- 3. Check for the punctuation

ispunct:=FALSE;

FOR i IN 1..length(punctarray) LOOP

FOR j IN 1..m LOOP

IF substr(password,j,1) = substr(punctarray,i,1) THEN

ispunct:=TRUE;

GOTO endsearch;

END IF;

END LOOP;

IF ispunct = FALSE THEN

raise_application_error(-20003, 'Password should contain at least one \

digit, one character and one punctuation');

END IF;

-- Check if the password differs from the previous password by at least

-- 3 letters

IF old_password IS NOT NULL THEN

differ := length(old_password) - length(password);

IF abs(differ) < 3 THEN

IF length(password) < length(old_password) THEN

m := length(password);

ELSE

m := length(old_password);

END IF;

differ := abs(differ);

FOR i IN 1..m LOOP

IF substr(password,i,1) != substr(old_password,i,1) THEN

differ := differ + 1;

END IF;

END LOOP;

IF differ < 3 THEN

raise_application_error(-20004, 'Password should differ by at \

least 3 characters');

END IF;

-- Everything is fine; return TRUE ;

RETURN(TRUE);

END;

-- This script alters the default parameters for Password Management

-- This means that all the users on the system have Password Management

-- enabled and set to the following values unless another profile is

-- created with parameter values set to different value or UNLIMITED

-- is created and assigned to the user.

ALTER PROFILE DEFAULT LIMIT

PASSWORD_LIFE_TIME 60

PASSWORD_GRACE_TIME 10

PASSWORD_REUSE_TIME 1800

PASSWORD_REUSE_MAX UNLIMITED

FAILED_LOGIN_ATTEMPTS 3

PASSWORD_LOCK_TIME 1/1440

PASSWORD_VERIFY_FUNCTION verify_function;

启用负责密码规则步骤：

--创建密码规则函数

SQL> @?/rdbms/admin/utlpwdmg.sql

Function created.

Profile altered.

SQL> select * from dba_profiles;

PROFILE RESOURCE_NAME RESOURCE LIMIT

------------------------------ -------------------------------- -------- ----------------------------------------

DEFAULT COMPOSITE_LIMIT KERNEL UNLIMITED

DEFAULT FAILED_LOGIN_ATTEMPTS PASSWORD 3

DEFAULT SESSIONS_PER_USER KERNEL UNLIMITED

DEFAULT PASSWORD_LIFE_TIME PASSWORD 60

DEFAULT CPU_PER_SESSION KERNEL UNLIMITED

DEFAULT PASSWORD_REUSE_TIME PASSWORD 1800

DEFAULT CPU_PER_CALL KERNEL UNLIMITED

DEFAULT PASSWORD_REUSE_MAX PASSWORD UNLIMITED

DEFAULT LOGICAL_READS_PER_SESSION KERNEL UNLIMITED

DEFAULT PASSWORD_VERIFY_FUNCTION PASSWORD VERIFY_FUNCTION

DEFAULT LOGICAL_READS_PER_CALL KERNEL UNLIMITED

PROFILE RESOURCE_NAME RESOURCE LIMIT

------------------------------ -------------------------------- -------- ----------------------------------------

DEFAULT PASSWORD_LOCK_TIME PASSWORD .0006

DEFAULT IDLE_TIME KERNEL UNLIMITED

DEFAULT PASSWORD_GRACE_TIME PASSWORD 10

DEFAULT CONNECT_TIME KERNEL UNLIMITED

DEFAULT PRIVATE_SGA KERNEL UNLIMITED

16 rows selected.

--当设置简单密码时报出相应的设置

SQL> alter user test identified by sdf;

alter user test identified by sdf

ERROR at line 1:

ORA-28003: password verification for the specified password failed

ORA-20002: Password length less than 4

--当设置复杂密码时设置成功

SQL> alter user test identified by "s1A8?I";

User altered.

源地址：