Internal Audit has tasked the ITIS DBA team with reducing Purdue’s vulnerability to data hackers. The DBA team is reviewing each application to determine how access to the data can be modified to make the data more secure. In the end each application will see data access become more restricted. The majority of the changes will be related to access granted to ALL (Public access), individual user password requirements, and password expiration. Since many applications have relied on the Public access to system tables and utilities there will be situations where functionality will be negatively affected. Most of the issues should be identified in the pre-production environments and work-arounds developed before the production environment is mitigated.
Password requirements will see the following changes:
- Passwords will need to change every 90 days on databases that contain restricted data and 180 days on all others.
- After 5 failed login attempts the account will be locked for 30 minutes.
- A password can only be reused after it has been changed 7 times in between.
- Password must have a minimum length of 8 characters
- The password must not be the reverse username
- The password must not be the username with a numeric suffix of 1-100
- The password must not be oracle with a numeric suffix of 1-100
- The password must not be the database’s name
- The password must not be the database’s name with a numeric suffix of 1-100
- The password must contain at least one digit and one character
- A new password must differ at least in 3 positions from the old password
- The password must not be a string from a predefine list some of which are 'welcome1', 'database1', 'account1', 'user1234', 'password1', 'oracle123', 'computer1', 'abcdefg1', 'change_on_install' .
Since individual users will now need to change their password every 180 days they must connect to the database using SQL Plus or another tool that provides an interface for entering SQL command. Individuals can only modify their own password. The command below is what should be used:
Alter user <username> identified by <new password> replace <old password>
Example:
User: puboiler
Old Password: wtx21tyz
Net Password: stqi4kly
Alter user puboiler identified by stqi4kly replace wtx21tyz;