Peter Dwyer is an internationally known System and Database Architect for Oracle environments. He is founding principal of The Certainty Group, a Boston-based Oracle database consultation company specializing in quickly assessing and correcting complex problems in multi-vendor, mission-critical systems that demand high performance and reliability.
As an Oracle DBA, you probably have heard a lot about the new security features in Oracle 11G such as database vault, audit vault, strong verifier, enhanced ASO, etc. But with a busy schedule, how do you find the time to study all the topics in depth? Are all of them going to affect your daily DBA operations? What should you know first and foremost? Of course, depending on the particular database you are administering, you will have your unique need. But as a rule of thumb, what tends to affect you the most is almost never those cool new features. The reason is simple: if you don't use them, they won't affect you. What tends to affect you is the change in the existing features that might lead to compatibility or interoperability issues. When that script you have used for years suddenly stops working, you will be disappointed. When your boss or above calls to ask what happened, you could feel terrible.
In this article, we discuss the new password case sensitivity feature in 11G. Every Oracle session starts with authentication. If the authentication fails at the beginning of your script, everything that follows will almost certainly be broken. So what was changed, why, and what should you know?
A Primer on Verifier
I'll start with a primer on password verifier. As you probably know, for security reasons, Oracle user's passwords are never stored as clear text. Instead, they are stored as a "verifier", a one-way hash value calculated from the clear text password. Hash verifier has a few unique features. One, it is "one-way": It is easy to calculate the hash value from a clear text password, but it is nearly impossible to figure out the clear text password from a hash value. Two, different clear texts almost never yield the same hash value (called collision). These features allow Oracle database to store the hash value of a user's password as a surrogate for the clear text password. When a user provides a password to logon, Oracle calculates the hash value from that password, and allows the user to logon if it matches the hash value that is stored in the database. To get a feel what an Oracle verifier looks like, take a look at the PASSWORD column in the user$ table in SYS schema (of course, you will need SYSDBA privilege to do that).
SELECT NAME,PASSWORD FROM SYS.USER$ ORDER BY NAME;
What Was Changed
Prior to 11G, Oracle passwords were case insensitive. "foobar", "FOOBAR", and "FoOBaR" are identical when used as an Oracle password. They yield the same hash value. If a user could log in with password "foobar", he could log in with "FOOBAR" as well. In 11G, however, when you create or modify user accounts, by default passwords are case sensitive. 11G also introduces a "salt" in the hash value generation so that even two users have identical passwords, their verifiers would still be different.
Oracle allows to you to control password case sensitivity for backward compatibility by setting the SEC_CASE_SENSITIVE_LOGON initialization parameter. Only users who have the ALTER SYSTEM privilege can set the SEC_CASE_SENSITIVE_LOGON parameter. Set it to TRUE to enable case sensitivity or FALSE to disable case sensitivity.
ALTER SYSTEM SET SEC_CASE_SENSITIVE_LOGON = TRUE | FALSE;
How Case Sensitivity Affects Password Files
As you may remember, Oracle stores the passwords (again in the form of verifiers) of users with SYSDBA and SYSOPER privileges in a "password file" on the server, rather than in the database. You can enable or disable case sensitivity for password files by using the ignorecase argument in the ORAPWD command line utility. The default value for ignorecase is n (no), which enforces case sensitivity.
Here is an example of how to enable password case sensitivity for SYSDBA and SYSOPER users
orapwd file=orapw entries=100 ignorecase=n
Enter password for SYS: password
This creates a password file called orapwd. Since ignorecase is set to n (no), the password entered for the password parameter will be case sensitive. Afterwards, if you connect using this password, it succeeds(as long as you enter the password using the exact same characters with the exact same case as created). If you enter the same password with different case, it will fail
If you, the DBA, sets the system to ignorecase to y, then the passwords in the password file are case insensitive, and this means that you can enter the password using any capitalization that you want.
It is important to note that given the way it is controlled, within one Oracle system, the password's case sensitivity of a regular user and a SYSDBA/SYSOPER user can be independent.
How Password Case Sensitivity Affects Import and Upgrade
What happens when you export some users from a previous database where the password is case insensitive into 11G? The case-insensitive passwords in these accounts remain case insensitive, even if the 11G system has turned on password case sensitivity. This makes sense because otherwise old users may not be able to log on from a previously working script or client program. This, however, will change when the user changes his or her password.
You can find users who have case sensitive or case insensitive passwords by querying the DBA_USERS view. The PASSWORD_VERSIONS column in this view indicates the release in which the password was created. For example:
SELECT USERNAME, PASSWORD_VERSIONS FROM DBA_USERS;
USERNAME PASSWORD_VERSIONS
------------------------------ -----------------
JONES 10G 11G
ADAMS 10G 11G
CLARK 10G 11G
PRESTON 11G
BLAKE 10G
The passwords for accounts jones, adams, and clark were originally created in Release 10g and then reset in Release 11g. Their passwords, assuming case sensitivity has been enabled, are now case sensitive, as is the password for preston. However, the account for blake is still using the Release 10g standard, so it is case insensitive. Once he changes his password, it will become case sensitive and more secure.
Conclusion
Users' passwords in Oracle 11G database become case sensitive by default. Regular user and SYSDBA/SYSOPER user's password case sensitivity can be controlled independently. If you have a script with inconsistent password cases, the script may stop working with 11G even though it works fine with previous releases. To learn more about this topic, read "Security Guide" (Oracle Part Number B28531-03).
- Related Videos
- Related Articles
- Ask / Related Q&A
- Oracle 11g's Strong Verifier and Case Sensitive Password
- Multi-user Vs Client Server Application
- Choosing a Web Application Programming Language
- Erp Implementation Lessons Learned
- Building and Using Data Aware Classes in Visual FoxPro Applications Part 1: Utilizing Visual Class Libraries for Data Access and Business Rules
Unlock iPhone 3GS
By: Carrie Sommer | 09/07/2009Unlock iPhone 3GS -Easiest and most effective unlocking service found This impressive website offers the ultimate Unlock iPhone 3gs solution. Its ainformative pages outline details and resources available and provides comprehensive advice on the options available. With over 1 million units sold, its popularity is down to a simple premise, simplicity of use, user friendly appeal, safe and cost effective. The unlock solution ensures that any iPhone is unlocked without any loss of service, functio
Ranking Favorite Movies With DVD Collection Database Software
By: Maxim Smirnov | 09/07/2009If you've ever wanted to be a movie reviewer, giving the thumbs-up or five stars which encourage a person to go see a movie, you are not alone. However, since these positions can be hard to come by, maybe you simply need to become the movie reviewer within your own...
Invest in an Ergonomic Chair, doing all sorts of tasks on your computers
By: sudesh | 09/07/2009Do you spend most of your time in front of your desk, doing all sorts of tasks on your computer? Did you know that an average office worker is expected to spend 70,000 hours of his or her lifetime seated on a chair? Isn’t it just right that you spend all those hours in comfort?
10 Tips For Quality Web Design
By: Seomul Evans | 09/07/2009SEO experts understand the importance not only of relevant and important content on a website, but also the design of the website itself. Websites are ranked by their importance and relevance to the topic they claim to be providing information about, but search engines also rank pages based on usefulness....
Make your PC faster – 3 things to note while using registry cleaner for Windows XP
By: Sarah Jones | 09/07/2009Can you imagine a wardrobe where you store each and every single item that you wear starting from new clothes, old boots, accessories or items, which you cannot even remember you have bought? Now imagine opening this stuffed wardrobe only to get crushed under all these items.
Basic fundamentals of Internet Security
By: Sarah Jones | 09/07/2009Within a very few days Internet has become one of the most popular platform of business and communication. Internet unlike any other medium of communication has given on globalized or international dimension to the whole world.
12 Free IPhone Applications
By: Seomul Evans | 09/07/2009As a business owner, chances are you're sitting on the cutting edge of technology, and what could be more cutting edge than an iPhone? The only thing more fun than showing your friends all the cool things your phone can do is actually using it to grow your business. We're...
How to get rid off Internet Antivirus
By: Sarah Jones | 09/07/2009If you are tired and sick of all those fake pop up ads and false security scans which are the commonest features of the Internet Antivirus Pro then your PC must have infected with Internet Antivirus, which is a rough spyware. As soon as you get the trace of this spyware in your PC you should remove it.
Lemon Law 101 - A Summer School Refresher
By: Paul Fleming | 25/06/2009 | AutomotiveA brief review of the State Lemon Laws in nine Northeastern States and remedies available to consumers with a "lemon" auto. State covered include: Pennsylvania, New Jersey, Delaware, Maryland, Ohio, New York, Connecticut, Massachusetts and New Hampshire.
Philadelphia Lemon Law Firm Fights for Car Owners
By: Paul Fleming | 25/04/2009 | AutomotiveLemon Laws vary from state to state. We have a look at some specifics associated with the Lemon Law for Philadelphia residents covered by the Pennsylvania state laws.
Post-holiday Season Freighted With Large Shipping Demands
By: Paul Fleming | 31/12/2008 | Home & FamilyThe holiday season is also a busy time for freight services who offer an effective way to get those larger gifts back to their new home. We do a lot of it so we're offering up our 5 tips for getting the job done efficiently and cost-effectively.
Long Distance Moving - Tips for Saving Money
By: Paul Fleming | 25/09/2008 | Home & FamilyA long distance move can be a frustrating and expensive undertaking. The moving experts at Transit Systems have put together a short list of tips to save you money.
Unlocking Learning Potential - From Learning Problems to Excellence
By: Paul Fleming | 19/09/2008 | Home & FamilyTreatment for children with learning difficulties varies from child to child. Here is a case study of one child's journey through The Institutes Brain Injured Child course.
Tips From the Small Move Experts Before You Start Packing
By: Paul Fleming | 17/07/2008 | Home & FamilyMoving can be a very stressful experience, large or small. We offer 6 tips to make things a little more bearable.
How Safe are Teflon
By: Paul Fleming | 01/07/2008 | BusinessThere have been a lot of concerns over the health safety of Teflon cookware. Plas-tech Coatings has been involved with the industrial application of Teflon since 1978 and offers some technical insight into the concerns.
Outside Lemon Law? Federal Law Offers Distressed Drivers Money, Plus They Get to Keep Their Car
By: Paul Fleming | 19/06/2008 | AutomotiveThere is only one thing that can escalate the pain people are experiencing at the pump and that is when a driver is experiencing ongoing mechanical or electrical problems with their car. There is a little-known law designed to protect the car purchaser when out of warranty.