Choosing A Secure Password
Choosing secure passwords and implementing good password policies are by far the most important defense for protecting against password based security threats. Oracle recommends customers use passwords with at least 10 characters in length. In addition, the complexity of the password is critical. Passwords that are based on words are vulnerable to a "Dictionary attacks". A complex password should contain:
|At least 10 characters|
|A mixture of letters and numbers|
|Mixed case letters (Oracle Database 11g)|
|Include symbols (pre-Oracle Database 11g allows "_", "$" and "#")|
|Little or no relation to an actual word|
Although there is no substitute for a strong, complex password, the following techniques could be used to generate longer passwords from a shorter, easier to remember password. Note that Oracle Database 11g supports mix-case passwords.
|Create passwords from the 1st letters of the words of an easy-to-remember sentence: 'I usually work until 6 almost every day of the week' would become 'Iuwu6aedotw'|
|Combine 2 weaker passwords like: "welcome1" and "tiger" into "WelTigerCome1"|
|Repeat a character at the beginning or end of the password|
|Prepend or append a string of some sort|
|Append PART of the same password|
|Double some or all of the letters: "welcome13" → "wwellCcooMmee13"|
Using a random technique from this list can increase the work that an attacker must do before they can crack a password.
Oracle also recommends customers enforce password expiration and reuse policies using Oracle profiles and follow best practices defined by Oracle Applications. Oracle Database 11g made it easy to configure password policies during database install. For example, during install, customers can decide to limit the number of times a user can input incorrect passwords before getting his/her account temporarily deactivated. Oracle Database auditing can also be used to monitor account logins.
Oracle Database Enterprise User Security (EUS) leverages Oracle Identity Management to centrally store and manage database passwords. EUS supports password based authentication starting with Oracle9i Release 2. In addition, EUS started supporting SHA-1 hashes with Oracle Database 10g Release 1. Please note that centralized password based authentication requires a license of Oracle Identity Management Directory Services.
For customers who are concerned about password based authentication, can optionally use advanced authentication technologies Kerberos, SSL, or Radius. These are available with Oracle Advanced Security.