从4个方面实战oracle的密码操作(一)

从4个方面实战oracle的密码操作

较好的实践是，oracle的密码操作通过profile来实现，而资源则是通过资源消费组来控制，profile其实是种限制。

通过profile来控制密码的使用，大抵有四：

1） 密码的历史

在这里，有两个参数：password_reuse_time和password_reuse_max，比较好的实践是，这两个参数当关联起来使用。 如：password_reuse_time=30，password_reuse_max=10，

用户可以在30天以后重用该密码，要求密码必须被改变超过10次。

实验： www.2cto.com

会话1：sys

sys@ORCL> create profile p1 limit password_reuse_time 1/1440 password_reuse_max 1;

Profile created.

sys@ORCL> alter user scott profile p1;

User altered.

sys@ORCL> alter user scott password expire;

User altered.

sys@ORCL> alter profile p1 limit password_reuse_time 5/1440 password_reuse_max 1;--5分钟后可重用该密码，但这期间必须要被改成其他密码一次

Profile altered.

sys@ORCL> alter user scott password expire;

www.2cto.com

User altered.

会话2：scott

scott@ORCL> exit;

Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production

With the Partitioning, OLAP and Data Mining options

[oracle@localhost ~]$ sqlplus /nolog

SQL*Plus: Release 10.2.0.1.0 - Production on Mon Sep 3 01:11:09 2012

Copyright (c) 1982, 2005, Oracle. All rights reserved.

idle> conn scott/oracle

ERROR:

ORA-28001: the password has expired

Changing password for scott

New password: --使用原密码，即oracle

Retype new password:

ERROR:

ORA-28007: the password cannot be reused

Password unchanged

idle> conn scott/oracle

ERROR:

ORA-28001: the password has expired

Changing password for scott

New password: --使用新密码，改成think

Retype new password:

Password changed

Connected. www.2cto.com

会话1：sys

sys@ORCL> alter user scott password expire;

User altered.

会话2：scott

scott@ORCL> exit;

Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production

With the Partitioning, OLAP and Data Mining options

[oracle@localhost ~]$ sqlplus /nolog

SQL*Plus: Release 10.2.0.1.0 - Production on Mon Sep 3 01:19:04 2012

Copyright (c) 1982, 2005, Oracle. All rights reserved.

idle> conn scott/think

ERROR:

ORA-28001: the password has expired

Changing password for scott

New password: --使用最早的密码，即oracle

Retype new password:

Password changed

Connected.

scott@ORCL>

2） 密码的登入校验

在这方面，也有两个参数:

failed_login_attempts:锁定前允许的最大失败登录次数

password_lock_time:锁定时间

实验：

会话1：sys

sys@ORCL> drop profile p1 cascade;

Profile dropped.

www.2cto.com

sys@ORCL> create profile p1 limit failed_login_attempts 1 password_lock_time 1/1440;--失败一次就被锁，被锁1分钟

Profile created.

sys@ORCL> alter user scott profile p1;

User altered.

会话2：scott

[oracle@localhost ~]$ sqlplus /nolog

SQL*Plus: Release 10.2.0.1.0 - Production on Mon Sep 3 01:42:46 2012

Copyright (c) 1982, 2005, Oracle. All rights reserved.

www.2cto.com

idle> conn scott/think

ERROR:

ORA-01017: invalid username/password; logon denied

idle> conn scott/oracle

ERROR:

ORA-28000: the account is locked

idle> conn scott/or