在12.2中,通过强制执行相关管理员用户的profile密码的限制来提高管理员密码的安全性。
如:FAILED_LOGIN_COUNT, PASSWORD_LOCK_TIME, PASSWORD_GRACE_TIME, and PASSWORD_LIFE_TIME.
There is no special protection with the password file. The password verifiers must be stored outside of the database so that authentication can be performed even when the database is not open. In previous releases, password complexity functions were available for non-administrative users only. Starting with Oracle Database release 12c (12.2), password complexity functions can be used for both non-administrative users and administrative users.
从12.2开始,密码复杂性函数也用于管理员用户。
以下几个profile设置参数是必须设置的:
FAILED_LOGIN_ATTEMPT
INACTIVE_ACCOUNT_TIME
PASSWORD_LOCK_TIME
PASSWORD_LIFE_TIME
PASSWORD_GRACE_TIME
In addition, for the ORAPWD utility, the restriction for the entries argument for the operating system password file has been removed.
并且orapwd工具取消了“entires”选项,经过测试创建了200个用户并授予sysdba权限都成功了。对于可以拥有sysdba权限的用户数量没有了限制。
创建脚本:
declare
sqltext1 varchar2(100);
sqltext2 varchar2(100);
begin
for i in 1..200
loop
sqltext1 := 'create user test'||i||' identified by test'||i;
sqltext2 := 'grant sysdba to test'||i;
execute immediate sqltext1;
execute immediate sqltext2;
end loop;
end;
密码复杂性增加如下:
Setting FORMAT to 12.2 enforces the following rules:
The password contains no fewer than 8 characters and includes at least one numeric and one alphabetic character.
The password is not the same as the user name or the user name reversed.
The password is not the same as the database name.
The password does not contain the word oracle (such as oracle123).
The password differs from the previous password by at least 8 characters.
The password contains at least 1 special character.
FORMAT=12.2 也会进行如下检查:
密码不应该超过30个字符
密码不应该包含",但是可以使用双引号来括起来
配置 FORMAT=12.2并使用默认的profile,那么会默认使用以下配置:
PASSWORD_LIFE_TIME: 180 days
PASSWORD_GRACE_TIME: 7 days
FAILED_LOGIN_ATTEMPTS: 10 attempts
#orapwd创建密码文件–format选项
[oracle@cndba dbs]$ orapwd file=orapwtest password=oracle format=12.2
OPW-00029: Password complexity failed for SYS user : Password must contain at least 8 characters.
[oracle@cndba dbs]$ orapwd file=orapwtest password=oracle123 format=12.2
OPW-00029: Password complexity failed for SYS user : Password must contain at least 1 special charact
[oracle@cndba dbs]$ orapwd file=orapwtest password=oracle123 format=11.2
#查看默认profile设置
SQL> select profile,resource_name,limit from dba_profiles where resource_name in('PASSWORD_LIFE_TIME','PASSWORD_GRACE_TIME','FAILED_LOGIN_ATTEMPTS');
PROFILE RESOURCE_NAME LIMIT
------------------------------ ------------------------------ --------------------
DEFAULT FAILED_LOGIN_ATTEMPTS 10
DEFAULT PASSWORD_LIFE_TIME 180
DEFAULT PASSWORD_GRACE_TIME 7
#查看管理员用户的权限的相关信息,最后一次登录时间
SQL> select username,sysdba,ACCOUNT_STATUS,PASSWORD_PROFILE,LAST_LOGIN,EXPIRY_DATE from V$PWFILE_USERS;