C:\Users\LIUBINGLIN>sqlplus / as sysdba

SQL*Plus: Release 11.2.0.3.0 Production on 星期一 3月 25 22:53:24 2013

連線到:

Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - Production

With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> @?/rdbms/admin/utlpwdmg.sql

函式已建立。

配置檔案已更改

函式已建立。

執行完utlpwdmg.sql指令碼之後就啟用了Oracle資料庫密碼複雜度驗證規則，規則如下：

1.對於非從低版本資料庫匯入的使用者，密碼都嚴格區分大小寫。

2.密碼長度不能小於8個字元，不能超過30個字元。

3.密碼不能與使用者名稱相同，也不能是使用者名稱倒著拼寫，或者後面追加1-100。

4.密碼不能與伺服器名稱相同，也不能是伺服器名稱後面追加1-100。

5.密碼不能過於簡單，例如：welcome1, database1, account1, user1234, password1, oracle, oracle123, computer1, abcdefg1, orchange_on_install。

6.密碼不能是oracle，或者oracle後面追加1-100。

7.密碼必須至少包含1個數字和1個字母。

8.新密碼與老密碼必須至少有3個字元不同。

9.密碼的有效期是180天，延長期是7天。

10.如果一個使用者連續輸入密碼10次都不正確，那麼該使用者將被鎖定。

11.該策略設定之後，只在新建立使用者和修改密碼時開始驗證，現有使用者的密碼可繼續使用，為了安全起見，建議設定該策略後立即修改SYSTEM使用者和所有業務系統使用者的密碼。

12.以上的規則對SYS使用者無效（SYS是超級管理員使用者，有單獨檔案儲存密碼，建議設定最為嚴格的密碼）。

下面是一個測試例子：

SQL> alter user test identified by test123;

alter user test identified by test123

*

第 1 行出現錯誤:

ORA-28003: 指定口令的口令驗證失敗

ORA-20001: Password length less than 8

SQL> alter user test identified by test123123;

使用者已更改。

SQL> create user test123123 identified by "321321tset";

create user test123123 identified by "321321tset"

*

第 1 行出現錯誤:

ORA-28003: 指定口令的口令驗證失敗

ORA-20003: Password same as username reversed

SQL> select profile,resource_name,limit from dba_profiles where profile='DEFAULT' and resource_name in ('PASSWORD_LIFE_TIME','PASSWORD_VERIFY_FUNCTION','PASSWORD_LOCK_TIME','PASSWORD_GRACE_TIME','PASSWORD_REUSE_MAX','PASSWORD_REUSE_TIME');

PROFILE RESOURCE_NAME LIMIT

-------------------- ------------------------------ --------------------

DEFAULT PASSWORD_LIFE_TIME 180

DEFAULT PASSWORD_REUSE_TIME UNLIMITED

DEFAULT PASSWORD_REUSE_MAX UNLIMITED

DEFAULT PASSWORD_VERIFY_FUNCTION VERIFY_FUNCTION_11G

DEFAULT PASSWORD_LOCK_TIME 1

DEFAULT PASSWORD_GRACE_TIME 7

已選擇6行。

關於密碼版本的問題：

SELECT USERNAME,PASSWORD_VERSIONS FROM DBA_USERS;

USERNAME                       PASSWORD_VERSIONS
------------------------------ -----------------
JONES                          10G 11G
ADAMS                          10G 11G
CLARK                          10G 11G
PRESTON                        11G
BLAKE                          10G

The passwords for accounts jones, adams, and clark were originally created in Release 10g and then reset in Release 11g. Their passwords, assuming case sensitivity has been enabled, are now case sensitive, as is the password for preston. However, the account for blake is still using the Release 10g standard, so it is case insensitive. Ask him to reset his password so that it will be case sensitive, and therefore more secure.

關於限制SYS使用者的密碼嚴格區分大小寫：

orapwd file=orapw entries=100 ignorecase=n
Enter password for SYS: password

This creates a password file called orapwd. Because ignorecase is set to n (no), the password entered for the password parameter will be case sensitive. Afterwards, if you connect using this password, it succeeds—as long as you enter it using the exact case sensitivity in which it was created. If you enter the same password but with different case sensitivity, it will fail.

If you set ignorecase to y, then the passwords in the password file are case insensitive, which means that you can enter the password using any capitalization that you want.

If you imported user accounts from a previous release and these accounts were created with SYSDBA or SYSOPER privileges, then they will be included in the password file. The passwords for these accounts are case insensitive. The next time these users change their passwords, and assuming case sensitivity is enabled, the passwords become case sensitive. For greater security, have these users change their passwords.

更多詳情，參考文件：

--end--

11gR2 Database使用者密碼複雜度驗證

相關文章