Friday, October 29, 2010

Temporary access to database accounts and password reuse

Eddie Awad recently shared the "Factsheet about Oracle database passwords" from Red Database Security.

One of the items mentioned is the fact sheet is how to temporarily change a user's password, by getting the value from DBA_USERS (or SYS.USER$ in 11g) and using the IDENTIFIED BY VALUES clause.

It doesn't cover the situation where your policy prohibits password reuse. If you try to reset it back, then you'll get the "ORA-28007: the password cannot be reused" exception. You can set password_reuse_max to unlimited, then set the password and then reset the policy. But that's all a bit of a hack and it is something you shouldn't be doing anyway.

If a DBA has an urgent need to log into someone else, then the DBA should give himself proxy rights


ALTER USER target_usr GRANT CONNECT THROUGH dba_user;

then connect as


CONNECT dba_user[target_user]/dba_password@conn


 which is much tidier. Though the DBA should revoke that grant afterwards.
ALTER USER target_usr REVOKE CONNECT THROUGH dba_user;


And one more thing missing from the fact sheet is that, if you have enabled the functionality to prevent password reuse, obviously Oracle has to store the old password hashes to validate that they are not reused. Those old hashes can be seen in SYS.USER_HISTORY$. While they are not current passwords, if someone does get hold of them, they may provide a clue as to what passwords someone is using.

3 comments:

Anonymous said...

Nice.

Surachart said...

Excellence

Anonymous said...

Thank Gary, very succinct and clear post