Consider using profiles for managing passwords… But not only!

When working with oracle, we come quick to realise we have different user types, different needs, different privileges coming with them.

The DBA will want to change dba and developer passwords’ more often than normal users. And normal users’ passwords more often than connection users. Users used for the connectivity of applications, batch job, this kind of stuff.

Now managing those passwords is a nightmare. When prompt to change passwords, users might use the same password by laziness. Or sometimes simply not have a password and just use the username as a password, or username123 which is just the same.

The profiles in Oracle help manage that.

I’ve created 2 profiles:

1) The connect_users with light privileges

Change password every 3 months

Is not allowed to use the same password before having had 3 different passwords

2) The normal users. People connecting to all sort of applications and inputing data all day long.

Change password every 2 months

Are not allowed to use the same password before having had 5 different passwords
Max session 8. We use some apps that opens 2 sessions by opened windows. I force them to use only 4 windows max. (And I still wonder how they can manage 4 at a time…)

3) DBAs and developers

Change password every months. Seriously we have a trained brain able to remember dozens of complexe minmum 10 digit passwords.

Are not allowed to use the same password before having had 10 different passwords.

Why so much different passwords? Well since it expires every months, a user would be able to use a new one in just 5 months compared to 10 months for a normal user. Doesn’t makes sense is it?

There’s something missing in this profile thing… The password complexity. It usually forces users to have at least a number, and at least a capital letter in their password. This is just plain crap. I can make a password like this: Passw0rd and go through the complexity check. Why bother…

Instead, I take time training my users. I’ve found out I’ve had much better result by advocating security rather than forcing it. What is seen as a hassle can be changed into an effort to avoid the bad hacker, the bad employee, the competitor, stealing our work.

You see. The reason why the users can’t be asked changing a password is because they don’t have a clue!

Answer the questions!


Why me?

Ask them. They’ll answer:

Who’s gonna steal my data?

I have nothing valuable.

The underlying question is how does people could make money with my data anyway. It’s worthless. Therefore, the hacker is a myth.

That usually can be heard at the beginning of the training. Then you bring it the slide with the common questions. They are usually impressed that it could be guessed :o)The reason is not you, your data. It’s your computer, for spamming. To turn your Oracle database in a Gigantic spamming machine. Since it does not concern only Oracle I like to stress the fact that very often it’s the computer which is hacked. Not the user in particular.

I explain the reasons too. Spamming. IRC channels selling hacked computers with admin rights and password. Here is the business model popping up! Making the thing real. Touchable.

2) Who?

It doesn’t need to be fully detailed.

I explain about the script kiddies. I explain how it’s easy to hack by downloading ready to use scripts on the internet. People not having a clue about what they are doing but harming innocent DBAs anyway!

3) How?

I explain the use of security flaws database, the automatic bot looking for it’s target on the web. The passwords dictionnaries. How common they are.

You’ve just thought about an easy-to-remember password? The hacker did that years before you even started thinking about it.

Defend yourself

Here we are. The enemy has a face. It can be identified by the user. Now when you got an enemy and a reason for his acts, you can start defending yourself.

A good password has to be complexe. <– That here is a tricky word. The second you turn your back on it and it kicks you in the face. Simply, complexe for a DBA is really not the same for a user.

Here are some sample of complexe passwords for a user:


!@#$%^&* (This one is the worst. It gives feeling of security where there’s not. If you feel secure, you care less.)

Here are some sample of Complexe passwords for DBAs:




Make sure your users understand what complexity means for you

How to choose a good password.

Here are my rules:

1) Change your password creation method from one to another.

You like to replace some letters by numbers looking like it? Don’t do it for the next letter.

2) You like to modify words with numbers or do some design (_|_)?

Find another way by concatenating substrings of different words, or mix them up together.

Make a sentence take the 3 letters of each words. Modify them with Caps, Special Characters and numbers.
3) Make it long. At least 8 for users. At least 10 for DBAs and Administrators.

4) Add it some numbers, letters, characters totally not related to any rules. Coming out of nowhere. :-)Or/cl3(-:

If you do all that, you’ll have an easy to remember password that is hard to break too.

And finding a password can become fun instead of a hassle.

Not as fun as playing WoW or enjoying yourself with your girlfriend. But as fun as something can be fun in the work place.


0 Responses to “Consider using profiles for managing passwords… But not only!”

  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: