In the previous post, we have talked about 5 native password verify functions in Oracle database we can use, but the question is, which one should we choose? The answer could be different from one company to another, it depends on the requirements of security policies you follow.
Here we list their requirements respectively for you to choose, from the simplest to the most complex.
- VERIFY_FUNCTION
- VERIFY_FUNCTION_11G
- ORA12C_VERIFY_FUNCTION
- ORA12C_STRONG_VERIFY_FUNCTION
- ORA12C_STIG_VERIFY_FUNCTION
Let's see their restrictions on password.
VERIFY_FUNCTION
Constitution
- At least 4 characters.
- At least 1 numeric character.
- At least 1 alphabetic character.
- At least 1 special character.
Dictionary
- Not the same as the case-insensitive user name.
- Not too simple (e.g. welcome, database, account, user, password, oracle, computer, abcd).
Rotation
It keeps the distance between the new password and the previous one.
- The password differs from the previous password by at least 3 characters.
VERIFY_FUNCTION_11G
Constitution
- At least 8 characters.
- At least 1 numeric character.
- At least 1 alphabetic character.
Dictionary
- Not the same as the user name, nor is it the user name reversed or with the numbers 1–100 appended.
- Not the same as the server name or the server name with the numbers 1–100 appended.
- Not contain oracle (e.g. oracle with the numbers 1–100 appended).
- Not too simple (e.g. welcome1, database1, account1, user1234, password1, oracle123, computer1, abcdefg1, or change_on_install).
Rotation
- The password differs from the previous password by at least 3 characters.
ORA12C_VERIFY_FUNCTION
Constitution
- At least 8 characters.
- At least 1 numeric character.
- At least 1 alphabetic character.
- At least 1 special character.
Dictionary
- Not the same as the user name or the user name reversed.
- Not the same as the database name.
- Not contain the word oracle (such as oracle123).
Rotation
- The password differs from the previous password by at least 3 characters.
ORA12C_STRONG_VERIFY_FUNCTION
Constitution
- At least 9 characters.
- At least 2 upper case letters.
- At least 2 lower case letters.
- At least 2 numeric characters.
- At least 2 special characters.
Rotation
- The password differs from the previous password by at least 4 characters.
ORA12C_STIG_VERIFY_FUNCTION
Constitution
- At least 15 characters.
- At least 1 lower case letters.
- At least 1 upper case letters.
- At least 1 numeric character.
- At least 1 special character.
Rotation
- The password differs from the previous password by at least 8 characters.
Next, let's see how we apply password complexity to users (profiles).