Prompted by James Koopmann's post about default Oracle accounts.
"The good thing here is that many of these accounts, after a normal installation are expired and locked"
Being blunt, "EXPIRED & LOCKED" does not mean safe, unbreakable, unusable or ignorable.
EXPIRED means that you cannot use the account password to access the account. My trick from last week would still allow access through a proxy account.
LOCKED is a bit better, as is lacking a 'CREATE SESSION' privilege. But even if FRED is locked, nothing stops user BARNEY using any available grant to run a procedure owned by FRED, and if that procedure is the default DEFINER RIGHTS, then it runs with an privilege granted to FRED. This is why SQL injection vulnerabilities in code owned by these LOCKED schemas are still dangerous.
But there's more...
Lets have some fun with APEX.
Brand new user, nothing up my sleeves.
create user exp_test identified by exp_test default tablespace users quota unlimited on users;
grant create table to exp_test;
grant create trigger to exp_test;
grant create procedure to exp_test;
grant create sequence to exp_test;
grant create view to exp_test;
Five basic privileges and not even as many as recommended in the documentation.
Those privileges are sufficient to create an Apex workspace for the schema though. A Workspace has an ADMIN user and you can log into that workspace as the ADMIN user. You can have other users (developers or plain, apex-authenticated users) on the workspace too.
You can then take your apex-authenticated admin or developer and go into APEX's SQL Worksheet and execute SQL as the schema user. Try it. No CREATE SESSION required. Now try
alter user exp_test account lock;
alter user exp_test password expire ;
Still accessible through Apex. No worries about the account being locked or passwords being expired.
I've done that using XE with Apex 4.0 and the embedded PL/SQL Gateway. Obviously the account you use to connect to the database needs to be unlocked, with CREATE SESSION and an unexpired password.
But beyond that Apex uses magic (or rather, I believe, DBMS_SYS_SQL). You can log out of one apex application running in a workspace on schema FRED, log into another running against BARNEY and it's all using the same set of database sessions. The apex builder/administration application is all running in Apex as well, on the same connections, with all its majestic power.
So an expired and locked account still has enough oomph to bite your legs off.