Oracle 11g’s Strong Verifier as well as Case Sensitive Password

Oracle 11g’s Strong Verifier as good as Case Sensitive Password

As an Oracle DBA, we substantially have listened the lot about the latest confidence facilities in Oracle 11G such as database vault, review vault, clever verifier, extended ASO, etc. But with the bustling schedule, how do we find the time to investigate all the topics in depth? Are all of them starting to begin your every day DBA operations? What should we know initial as good as foremost? Of course, depending upon the sold database we have been administering, we will have your singular need. But as the order of thumb, what tends to begin we the many is roughly never those cold latest features. The reason is simple: if we do not operate them, they won’t begin you. What tends to begin we is the shift in the existent facilities which competence lead to harmony or interoperability issues. When which book we have used for years unexpected stops working, we will be disappointed. When your trainer or upon top of calls to ask what happened, we could feel terrible.

In this article, we plead the latest cue box attraction underline in 11G. Every Oracle event starts with authentication. If the authentication fails during the commencement of your script, all which follows will roughly positively be broken. So what was changed, why, as good as what should we know?

A Primer upon Verifier

I’ll begin with the authority upon cue verifier. As we substantially know, for confidence reasons, Oracle user’s passwords have been never stored as transparent text. Instead, they have been stored as the “verifier”, the one-way crush worth distributed from the transparent content password. Hash verifier has the couple of singular features. One, it is “one-way”: It is easy to work out the crush worth from the transparent content password, yet it is scarcely unfit to figure out the transparent content cue from the crush value. Two, opposite transparent texts roughly never produce the same crush worth (called collision). These facilities concede Oracle database to store the crush worth of the user’s cue as the broker for the transparent content password. When the user provides the cue to logon, Oracle calculates the crush worth from which password, as good as allows the user to logon if it matches the crush worth which is stored in the database. To get the feel what an Oracle verifier looks like, take the demeanour during the PASSWORD mainstay in the user$ list in SYS schema (of course, we will need SYSDBA payoff to do that).

SELECT NAME,PASSWORD FROM SYS.USER$ ORDER BY NAME;

What Was Changed

Prior to 11G, Oracle passwords were box insensitive. “foobar”, “FOOBAR”, as good as “FoOBaR” have been matching when used as an Oracle password. They produce the same crush value. If the user could record in with cue “foobar”, he could record in with “FOOBAR” as well. In 11G, however, when we emanate or cgange user accounts, by default passwords have been box sensitive. 11G additionally introduces the “salt” in the crush worth era so which even dual users have matching passwords, their verifiers would still be different.

Oracle allows to we to carry out cue box attraction for back harmony by environment the SEC_CASE_SENSITIVE_LOGON initialization parameter. Only users who have the ALTER SYSTEM payoff can set the SEC_CASE_SENSITIVE_LOGON parameter. Set it to TRUE to capacitate box attraction or FALSE to invalidate box sensitivity.

ALTER SYSTEM SET SEC_CASE_SENSITIVE_LOGON = TRUE | FALSE;

How Case Sensitivity Affects Password Files

As we might remember, Oracle stores the passwords (again in the form of verifiers) of users with SYSDBA as good as SYSOPER privileges in the “password file” upon the server, rsther than than in the database. You can capacitate or invalidate box attraction for cue files by regulating the ignorecase evidence in the ORAPWD authority line utility. The default worth for ignorecase is n (no), which enforces box sensitivity.

Here is an e.g. of how to capacitate cue box attraction for SYSDBA as good as SYSOPER users

orapwd file=orapw entries=100 ignorecase=n

Enter cue for SYS: password

This creates the cue record called orapwd. Since ignorecase is set to n (no), the cue entered for the cue parameter will be box sensitive. Afterwards, if we bond regulating this password, it succeeds(as prolonged as we come in the cue regulating the expect same characters with the expect same box as created). If we come in the same cue with opposite case, it will fail

If you, the DBA, sets the complement to ignorecase to y, afterwards the passwords in the cue record have been box insensitive, as good as this equates to which we can come in the cue regulating any capitalization which we want.

It is critical to note which since the approach it is controlled, inside of the single Oracle system, the password’s box attraction of the unchanging user as good as the SYSDBA/SYSOPER user can be independent.

How Password Case Sensitivity Affects Import as good as Upgrade

What happens when we trade the little users from the prior database where the cue is box unresponsive in to 11G? The case-insensitive passwords in these accounts sojourn box insensitive, even if the 11G complement has incited upon cue box sensitivity. This creates clarity since differently aged users might not be means to record upon from the formerly operative book or customer program. This, however, will shift when the user changes his or her password.

You can find users who have box supportive or box unresponsive passwords by querying the DBA_USERS view. The PASSWORD_VERSIONS mainstay in this perspective indicates the recover in which the cue was created. For example:

SELECT USERNAME, PASSWORD_VERSIONS FROM DBA_USERS;

USERNAME PASSWORD_VERSIONS

—————————— —————–

JONES 10G 11G

ADAMS 10G 11G

CLARK 10G 11G

PRESTON 11G

BLAKE 10G

The passwords for accounts jones, adams, as good as clark were creatively combined in Release 10g as good as afterwards reset in Release 11g. Their passwords, presumption box attraction has been enabled, have been right away box sensitive, as is the cue for preston. However, the comment for blake is still regulating the Release 10g standard, so it is box insensitive. Once he changes his password, it will turn box supportive as good as some-more secure.

Conclusion

Users’ passwords in Oracle 11G database turn box supportive by default. Regular user as good as SYSDBA/SYSOPER user’s cue box attraction can be tranquil independently. If we have the book with unsuitable cue cases, the book might stop operative with 11G even yet it functions excellent with prior releases. To sense some-more about this topic, review “Security Guide” (Oracle Part Number B28531-03).