Oracle Database Security homepage

Choosing A Secure Password

Choosing secure passwords and implementing good password policies are by far the most important defense for protecting against password based security threats. Oracle recommends customers use passwords with at least 10 characters in length. In addition, the complexity of the password is critical. Passwords that are based on words are vulnerable to a "Dictionary attacks". A complex password should contain:

At least 10 characters
A mixture of letters and numbers
Mixed case letters (Oracle Database 11g)
Include symbols (pre-Oracle Database 11g allows "_", "$" and "#")
Little or no relation to an actual word

Although there is no substitute for a strong, complex password, the following techniques could be used to generate longer passwords from a shorter, easier to remember password. Note that Oracle Database 11g supports mix-case passwords.

Create passwords from the 1st letters of the words of an easy-to-remember sentence: 'I usually work until 6 almost every day of the week' would become 'Iuwu6aedotw'
Combine 2 weaker passwords like: "welcome1" and "tiger" into "WelTigerCome1"
Repeat a character at the beginning or end of the password
Prepend or append a string of some sort
Append PART of the same password
Double some or all of the letters: "welcome13" → "wwellCcooMmee13"

Using a random technique from this list can increase the work that an attacker must do before they can crack a password.

Oracle also recommends customers enforce password expiration and reuse policies using Oracle profiles and follow best practices defined by Oracle Applications. Oracle Database 11g made it easy to configure password policies during database install. For example, during install, customers can decide to limit the number of times a user can input incorrect passwords before getting his/her account temporarily deactivated. Oracle Database auditing can also be used to monitor account logins.

Oracle Database Enterprise User Security (EUS) leverages Oracle Identity Management to centrally store and manage database passwords. EUS supports password based authentication starting with Oracle9i Release 2. In addition, EUS started supporting SHA-1 hashes with Oracle Database 10g Release 1. Please note that centralized password based authentication requires a license of Oracle Identity Management Directory Services.

For customers who are concerned about password based authentication, can optionally use advanced authentication technologies Kerberos, SSL, or Radius. These are available with Oracle Advanced Security.


Overview


Cost Effective Security and Compliance with Oracle Database 11g Release 2
HITECH's Challenge to the Health Care Industry
Protecting the Electric Grid in a Dangerous World
Sustainable Compliance for the Payment Card Industry Data Security Standard
Defense-in-Depth Guide
Oracle Database Security Overview
Choosing A Secure Password
Secure External Password Store
Oracle Database Security Checklist - Technical Whitepaper

Security Features


Data Encryption
Virtual Private Database
Database Auditing
Backup Encryption
Export file encryption
Proxy Authentication
Enterprise User Security
Secure Application Roles
Fine Grained Auditing

Customer Successes


Industry leading organizations globally rely on Oracle Database Security Solutions to protect data privacy, address insider threats, and meet regulatory compliance - without changes to their existing applications, saving time and money.
Database Security Customers

Security Options


Oracle Database Vault
Oracle Advanced Security
Oracle Label Security

Related Technologies


Database Firewall
Audit Vault
Data Masking (pdf)
Secure Backup
Configuration Management
Identity Management

Discussion Forums


Security
Audit Vault


In-Memory Replay Banner