Choosing A Secure Password

Choosing secure passwords and implementing good password policies are by far the most important defense for protecting against password based security threats. Oracle recommends customers use passwords with at least 10 characters in length. In addition, the complexity of the password is critical. Passwords that are based on words are vulnerable to a "Dictionary attacks". A complex password should contain:

	At least 10 characters
	A mixture of letters and numbers
	Mixed case letters (Oracle Database 11g)
	Include symbols (pre-Oracle Database 11g allows "_", "$" and "#")
	Little or no relation to an actual word

Although there is no substitute for a strong, complex password, the following techniques could be used to generate longer passwords from a shorter, easier to remember password. Note that Oracle Database 11g supports mix-case passwords.

	Create passwords from the 1st letters of the words of an easy-to-remember sentence: 'I usually work until 6 almost every day of the week' would become 'Iuwu6aedotw'
	Combine 2 weaker passwords like: "welcome1" and "tiger" into "WelTigerCome1"
	Repeat a character at the beginning or end of the password
	Prepend or append a string of some sort
	Append PART of the same password
	Double some or all of the letters: "welcome13" → "wwellCcooMmee13"

Using a random technique from this list can increase the work that an attacker must do before they can crack a password.

Oracle also recommends customers enforce password expiration and reuse policies using Oracle profiles and follow best practices defined by Oracle Applications. Oracle Database 11g made it easy to configure password policies during database install. For example, during install, customers can decide to limit the number of times a user can input incorrect passwords before getting his/her account temporarily deactivated. Oracle Database auditing can also be used to monitor account logins.

Oracle Database Enterprise User Security (EUS) leverages Oracle Identity Management to centrally store and manage database passwords. EUS supports password based authentication starting with Oracle9i Release 2. In addition, EUS started supporting SHA-1 hashes with Oracle Database 10g Release 1. Please note that centralized password based authentication requires a license of Oracle Identity Management Directory Services.

For customers who are concerned about password based authentication, can optionally use advanced authentication technologies Kerberos, SSL, or Radius. These are available with Oracle Advanced Security.

Overview Cost Effective Security and Compliance with Oracle Database 11g Release 2 HITECH's Challenge to the Health Care Industry Protecting the Electric Grid in a Dangerous World Sustainable Compliance for the Payment Card Industry Data Security Standard Defense-in-Depth Guide Oracle Database Security Overview Choosing A Secure Password Secure External Password Store Oracle Database Security Checklist - Technical Whitepaper Security Features Data Encryption Virtual Private Database Database Auditing Backup Encryption Export file encryption Proxy Authentication Enterprise User Security Secure Application Roles Fine Grained Auditing

Customer Successes Industry leading organizations globally rely on Oracle Database Security Solutions to protect data privacy, address insider threats, and meet regulatory compliance - without changes to their existing applications, saving time and money. Database Security Customers Security Options Oracle Database Vault Oracle Advanced Security Oracle Label Security Related Technologies Database Firewall Audit Vault Data Masking (pdf) Secure Backup Configuration Management Identity Management Discussion Forums Security Audit Vault