oracle口令管理

1, 口令文件信息查詢 口令文件中存儲着擁有sysdba或者sysoper權限的用戶. 這裏我們首先檢查一下每個系統中有哪些用戶擁有管理權限. 使用語句select * from v$pwfile_users可以完成這步操作. USERNAME SYSDBA SYSOPER SYS TRUE TRUE CTLKF TRUE FALSE 2, 查詢用戶的資源信息 select du.username, du.profile, dp.resource_name,dp.limit from dba_users DU, dba_profiles DP where du.profile = dp.profile and dp.resource_name in ('FAILED_LOGIN_ATTEMPTS', --允許用戶輸入多少次口令錯誤,超過允許次數後,賬號被鎖定 'PASSWORD_VERIFY_FUNCTION', --密碼驗證函數 'PASSWORD_LOCK_TIME', --鎖定用戶的時間(單位爲天) 'PASSWORD_LIFE_TIME', --口令的有效期, 過期提醒 'PASSWORD_GRACE_TIME' , --口令的提醒天數, 這期間口令仍然可用 'PASSWORD_REUSE_MAX', -- 口令歷史記錄保留次數 'PASSWORD_REUSE_TIME' -- 口令歷史記錄保留時間 ) order by du.username; USERNAME PROFILE RESOURCE_NAME LIMIT SYS DEFAULT FAILED_LOGIN_ATTEMPTS UNLIMITED SYS DEFAULT PASSWORD_LIFE_TIME UNLIMITED SYS DEFAULT PASSWORD_GRACE_TIME UNLIMITED SYS DEFAULT PASSWORD_LOCK_TIME UNLIMITED SYS DEFAULT PASSWORD_VERIFY_FUNCTION NULL 3. 修改口令資源 也可以使用下面的語句完成同樣的效果. ALTER PROFILE "DEFAULT" FAILED_LOGIN_ATTEMPTS 5 --允許用戶輸入多少次口令錯誤,超過允許次數後,賬號被鎖定 PASSWORD_VERIFY_FUNCTION verify_Function --密碼驗證函數 PASSWORD_LOCK_TIME 0.0416 --鎖定用戶的時間(單位爲天) PASSWORD_LIFE_TIME unlimited --口令的有效期, 過期提醒 PASSWORD_GRACE_TIME unlimited --口令的提醒天數, 這期間口令仍然可用 PASSWORD_REUSE_MAX 1 -- 口令歷史記錄保留次數 PASSWORD_REUSE_TIME unlimited -- 口令歷史記錄保留時間 4,口令複雜性檢查函數 口令複雜性檢查函數password_verify_function是oracle中自帶的, 作爲複雜性函數中的default檢查函數, 但是缺省這個函數沒有創建, 需要運行在oracle軟件主目錄下的rdbms/admin下的utlpwdmg.sql纔可以使用. SQL> conn sys/sys as sysdba 已連接。 SQL> @E:/oracle/ora92/rdbms/admin/utlpwdmg.sql 函數已創建。 配置文件已更改 默認的函數可以檢查密碼是否與用戶名相同, 是否小於4個字符, 是否是一組特定的詞, 密碼中是否包含一個字符, 一個數字和一個標點符號, 然後再和舊口令進行對照. 當然,用戶也可以修改或者創建自己的口令複雜度函數, 然後啓用. CREATE OR REPLACE FUNCTION verify_function (username varchar2, password varchar2, old_password varchar2) RETURN boolean IS n boolean; m integer; differ integer; isdigit boolean; ischar boolean; ispunct boolean; digitarray varchar2(20); punctarray varchar2(25); chararray varchar2(52); BEGIN digitarray:= '0123456789'; chararray:= 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'; punctarray:='!"#$%&()``*+,-/:;<=>?_'; -- Check if the password is same as the username IF NLS_LOWER(password) = NLS_LOWER(username) THEN raise_application_error(-20001, 'Password same as or similar to user(密碼和用戶不能相同...)'); END IF; -- Check for the minimum length of the password IF length(password) < 4 THEN raise_application_error(-20002, 'Password length less than 4(密碼長度必須大於等於4)'); END IF; -- Check if the password is too simple. A dictionary of words may be -- maintained and a check may be made so as not to allow the words -- that are too simple for the password. IF NLS_LOWER(password) IN ('welcome', 'database', 'account', 'user', 'password', 'oracle', 'computer', 'abcd') THEN raise_application_error(-20002, 'Password too simple(暈, 這都想得出來...)'); END IF; -- Check if the password contains at least one letter, one digit and one -- punctuation mark. -- 1. Check for the digit isdigit:=FALSE; m := length(password); FOR i IN 1..10 LOOP FOR j IN 1..m LOOP IF substr(password,j,1) = substr(digitarray,i,1) THEN isdigit:=TRUE; GOTO findchar; END IF; END LOOP; END LOOP; IF isdigit = FALSE THEN raise_application_error(-20003, 'Password should contain at least one digit, one character and one punctuation(密碼至少包含一個數字...)'); END IF; -- 2. Check for the character <> ischar:=FALSE; FOR i IN 1..length(chararray) LOOP FOR j IN 1..m LOOP IF substr(password,j,1) = substr(chararray,i,1) THEN ischar:=TRUE; GOTO findpunct; END IF; END LOOP; END LOOP; IF ischar = FALSE THEN raise_application_error(-20003, 'Password should contain at least one / digit, one character and one punctuation(密碼至少包含一個字符...)'); END IF; -- 3. Check for the punctuation <> ispunct:=FALSE; FOR i IN 1..length(punctarray) LOOP FOR j IN 1..m LOOP IF substr(password,j,1) = substr(punctarray,i,1) THEN ispunct:=TRUE; GOTO endsearch; END IF; END LOOP; END LOOP; IF ispunct = FALSE THEN raise_application_error(-20003, 'Password should contain at least one / digit, one character and one punctuation(密碼至少包含一個標點...)'); END IF; <> -- Check if the password differs from the previous password by at least -- 3 letters IF old_password IS NOT NULL THEN differ := length(old_password) - length(password); IF abs(differ) < 3 THEN IF length(password) < length(old_password) THEN m := length(password); ELSE m := length(old_password); END IF; differ := abs(differ); FOR i IN 1..m LOOP IF substr(password,i,1) != substr(old_password,i,1) THEN differ := differ + 1; END IF; END LOOP; IF differ < 3 THEN raise_application_error(-20004, 'Password should differ by at / least 3 characters(新密碼跟舊密碼至少有三個字符不同...)'); END IF; END IF; END IF; -- Everything is fine; return TRUE ; RETURN(TRUE); END; 5, 修改用戶密碼 1, 使用alter user 使用sysdba權限用戶登錄後, 可以用下屬語句修改用戶密碼. Alter user username identified by password; 2, 使用password SQL> password 更改SYS的口令 舊口令: 新口令: 重新鍵入新口令: 口令已更改 3, 修改超級用戶sys密碼 A, 使用conn / as sysdba 登錄, 然後使用alter user sys identified by password B, 刪除口令文件, 然後在dos控制檯使用orapwd修改. C:/Documents and Settings/Administrator>orapwd Usage: orapwd file= password= entries= where file - name of password file (mand), password - password for SYS (mand), entries - maximum number of distinct DBA and OPERs (opt), There are no spaces around the equal-to (=) character. C:/Documents and Settings/Administrator>orapwd file=PWDordDB.ora password=sys.47522341 entries=5 6, 強制過期所有用戶密碼 begin for myrec in ( select username from dba_users ) loop execute immediate 'alter user '||myrec.username||' password expire'; end loop; end; -- 強制修改所有用戶密碼 begin for myrec in ( select username from dba_users ) loop execute immediate 'alter user '||myrec.username||' identified by '||myrec.username||'_47522341'; end loop; end; 7, 測試修改口令後需要的工作量. 1, C/S環境. 環境建立: 在delphi中創建oracle連接, 設置密碼, 打開一個數據表. 測試目的: 將密碼過期後, 查看再次登錄是否需要修改密碼. 測試結論: 如果用戶強制將密碼過期, 那麼所有已經發布的登錄也要在修改完密碼後重新配置連接字符串.