PASSWORD_VERIFY_FUNCTION（口令复杂性验证）

在官方文档中该参数的阐述：
PASSWORD_VERIFY_FUNCTION子句允许PL/SQL密码复杂性验证脚本作为参数传递给CREATEPROFILE语句

一、PASSWORD_VERIFY_FUNCTION参数语法：

语法：

ALTER PROFILE profile LIMIT{ resource_parameters | password_parameters } ...;

password_parameters 中 PASSWORD_VERIFY_FUNCTION 部分如下:

{| PASSWORD_VERIFY_FUNCTION{ function | NULL | DEFAULT }
}

对于FUNCTION（函数）指定密码复杂度验证例程的名称，该FUNCTION必须存在于SYS用户中，并且您必须对该函数具有执行权限.
指定NULL表示未执行密码验证.

二、Oracle数据库提供默认脚本中创建的两个例程

Oracle数据库提供默认脚本，在11g数据库提供默认脚本中可以创建的两个例程，但你也可以创建自己的例程或使用第三方软件

1、verify_function_11G

- 密码复杂度：
密码必须至少包含一个数字，一个字符
密码长度至少为8

2、verify_function

- 密码复杂度：
密码必须包含至少一个数字，一个字符和一个标点符号
密码长度至少为4

3、执行脚本

$ cd $ORACLE_HOME
$ sqlplus / as sysdba
SQL> @?/rdbms/admin/utlpwdmg.sql Function created.Grant succeeded.Profile altered.Function created.Grant succeeded.SQL>

4、在profile中修改PASSWORD_VERIFY_FUNCTION（口令复杂性验证）

1、查看当前开启用户及其profile
select username,profile from dba_users where account_status='OPEN'; 2、使用缺省的profile-DEFAULT 修改口令复杂性验证为 "VERIFY_FUNCTION_11G" 例程
#即：密码必须至少包含一个数字，一个字符，密码长度至少为8
alter profile DEFAULT limit PASSWORD_VERIFY_FUNCTION VERIFY_FUNCTION_11G;  3、使用缺省的profile-DEFAULT 修改口令复杂性验证为 "verify_function" 例程
#即：密码必须包含至少一个数字，一个字符和一个标点符号，密码长度至少为4
alter profile DEFAULT limit PASSWORD_VERIFY_FUNCTION VERIFY_FUNCTION;4、关闭密码口令复杂度认证
alter profile DEFAULT limit PASSWORD_VERIFY_FUNCTION null;

5、若自己有对密码复杂度有其他需求，把 “utlpwdmg.sql” 脚本按需修改执行即可，原脚本内容如下：

Rem
Rem $Header: rdbms/admin/utlpwdmg.sql /st_rdbms_11.2.0/1 2013/01/31 01:34:11 skayoor Exp $
Rem
Rem utlpwdmg.sql
Rem
Rem Copyright (c) 2006, 2013, Oracle and/or its affiliates.
Rem All rights reserved.
Rem
Rem    NAME
Rem      utlpwdmg.sql - script for Default Password Resource Limits
Rem
Rem    DESCRIPTION
Rem      This is a script for enabling the password management features
Rem      by setting the default password resource limits.
Rem
Rem    NOTES
Rem      This file contains a function for minimum checking of password
Rem      complexity. This is more of a sample function that the customer
Rem      can use to develop the function for actual complexity checks that the
Rem      customer wants to make on the new password.
Rem
Rem    MODIFIED   (MM/DD/YY)
Rem    skayoor     01/17/13 - Backport skayoor_bug-14671375 from main
Rem    asurpur     05/30/06 - fix - 5246666 beef up password complexity check
Rem    nireland    08/31/00 - Improve check for username=password. #1390553
Rem    nireland    06/28/00 - Fix null old password test. #1341892
Rem    asurpur     04/17/97 - Fix for bug479763
Rem    asurpur     12/12/96 - Changing the name of password_verify_function
Rem    asurpur     05/30/96 - New script for default password management
Rem    asurpur     05/30/96 - Created
Rem-- This script sets the default password resource parameters
-- This script needs to be run to enable the password features.
-- However the default resource parameters can be changed based
-- on the need.
-- A default password complexity function is also provided.
-- This function makes the minimum complexity checks like
-- the minimum length of the password, password not same as the
-- username, etc. The user may enhance this function according to
-- the need.
-- This function must be created in SYS schema.
-- connect sys/<password> as sysdba before running the scriptCREATE OR REPLACE FUNCTION verify_function_11G
(username varchar2,password varchar2,old_password varchar2)RETURN boolean IS n boolean;m integer;differ integer;isdigit boolean;ischar  boolean;ispunct boolean;db_name varchar2(40);digitarray varchar2(20);punctarray varchar2(25);chararray varchar2(52);i_char varchar2(10);simple_password varchar2(10);reverse_user varchar2(32);BEGIN digitarray:= '0123456789';chararray:= 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';-- Check for the minimum length of the passwordIF length(password) < 8 THENraise_application_error(-20001, 'Password length less than 8');END IF;-- Check if the password is same as the username or username(1-100)IF NLS_LOWER(password) = NLS_LOWER(username) THENraise_application_error(-20002, 'Password same as or similar to user');END IF;FOR i IN 1..100 LOOPi_char := to_char(i);if NLS_LOWER(username)|| i_char = NLS_LOWER(password) THENraise_application_error(-20005, 'Password same as or similar to user name ');END IF;END LOOP;-- Check if the password is same as the username reversedFOR i in REVERSE 1..length(username) LOOPreverse_user := reverse_user || substr(username, i, 1);END LOOP;IF NLS_LOWER(password) = NLS_LOWER(reverse_user) THENraise_application_error(-20003, 'Password same as username reversed');END IF;-- Check if the password is the same as server name and or servername(1-100)select name into db_name from sys.v$database;if NLS_LOWER(db_name) = NLS_LOWER(password) THENraise_application_error(-20004, 'Password same as or similar to server name');END IF;FOR i IN 1..100 LOOPi_char := to_char(i);if NLS_LOWER(db_name)|| i_char = NLS_LOWER(password) THENraise_application_error(-20005, 'Password same as or similar to server name ');END IF;END LOOP;-- Check if the password is too simple. A dictionary of words may be-- maintained and a check may be made so as not to allow the words-- that are too simple for the password.IF NLS_LOWER(password) IN ('welcome1', 'database1', 'account1', 'user1234', 'password1', 'oracle123', 'computer1', 'abcdefg1', 'change_on_install') THENraise_application_error(-20006, 'Password too simple');END IF;-- Check if the password is the same as oracle (1-100)simple_password := 'oracle';FOR i IN 1..100 LOOPi_char := to_char(i);if simple_password || i_char = NLS_LOWER(password) THENraise_application_error(-20007, 'Password too simple ');END IF;END LOOP;-- Check if the password contains at least one letter, one digit -- 1. Check for the digitisdigit:=FALSE;m := length(password);FOR i IN 1..10 LOOP FOR j IN 1..m LOOP IF substr(password,j,1) = substr(digitarray,i,1) THENisdigit:=TRUE;GOTO findchar;END IF;END LOOP;END LOOP;IF isdigit = FALSE THENraise_application_error(-20008, 'Password must contain at least one digit, one character');END IF;-- 2. Check for the character<<findchar>>ischar:=FALSE;FOR i IN 1..length(chararray) LOOP FOR j IN 1..m LOOP IF substr(password,j,1) = substr(chararray,i,1) THENischar:=TRUE;GOTO endsearch;END IF;END LOOP;END LOOP;IF ischar = FALSE THENraise_application_error(-20009, 'Password must contain at least one \digit, and one character');END IF;<<endsearch>>-- Check if the password differs from the previous password by at least-- 3 lettersIF old_password IS NOT NULL THENdiffer := length(old_password) - length(password);differ := abs(differ);IF differ < 3 THENIF length(password) < length(old_password) THENm := length(password);ELSEm := length(old_password);END IF;FOR i IN 1..m LOOPIF substr(password,i,1) != substr(old_password,i,1) THENdiffer := differ + 1;END IF;END LOOP;IF differ < 3 THENraise_application_error(-20011, 'Password should differ from the \old password by at least 3 characters');END IF;END IF;END IF;-- Everything is fine; return TRUE ;   RETURN(TRUE);
END;
/GRANT EXECUTE ON verify_function_11G TO PUBLIC;-- This script alters the default parameters for Password Management
-- This means that all the users on the system have Password Management
-- enabled and set to the following values unless another profile is
-- created with parameter values set to different value or UNLIMITED
-- is created and assigned to the user.ALTER PROFILE DEFAULT LIMIT
PASSWORD_LIFE_TIME 180
PASSWORD_GRACE_TIME 7
PASSWORD_REUSE_TIME UNLIMITED
PASSWORD_REUSE_MAX UNLIMITED
FAILED_LOGIN_ATTEMPTS 10
PASSWORD_LOCK_TIME 1
PASSWORD_VERIFY_FUNCTION verify_function_11G;-- Below is the older version of the script-- This script sets the default password resource parameters
-- This script needs to be run to enable the password features.
-- However the default resource parameters can be changed based
-- on the need.
-- A default password complexity function is also provided.
-- This function makes the minimum complexity checks like
-- the minimum length of the password, password not same as the
-- username, etc. The user may enhance this function according to
-- the need.
-- This function must be created in SYS schema.
-- connect sys/<password> as sysdba before running the scriptCREATE OR REPLACE FUNCTION verify_function
(username varchar2,password varchar2,old_password varchar2)RETURN boolean IS n boolean;m integer;differ integer;isdigit boolean;ischar  boolean;ispunct boolean;digitarray varchar2(20);punctarray varchar2(25);chararray varchar2(52);BEGIN digitarray:= '0123456789';chararray:= 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';punctarray:='!"#$%&()``*+,-/:;<=>?_';-- Check if the password is same as the usernameIF NLS_LOWER(password) = NLS_LOWER(username) THENraise_application_error(-20001, 'Password same as or similar to user');END IF;-- Check for the minimum length of the passwordIF length(password) < 4 THENraise_application_error(-20002, 'Password length less than 4');END IF;-- Check if the password is too simple. A dictionary of words may be-- maintained and a check may be made so as not to allow the words-- that are too simple for the password.IF NLS_LOWER(password) IN ('welcome', 'database', 'account', 'user', 'password', 'oracle', 'computer', 'abcd') THENraise_application_error(-20002, 'Password too simple');END IF;-- Check if the password contains at least one letter, one digit and one-- punctuation mark.-- 1. Check for the digitisdigit:=FALSE;m := length(password);FOR i IN 1..10 LOOP FOR j IN 1..m LOOP IF substr(password,j,1) = substr(digitarray,i,1) THENisdigit:=TRUE;GOTO findchar;END IF;END LOOP;END LOOP;IF isdigit = FALSE THENraise_application_error(-20003, 'Password should contain at least one digit, one character and one punctuation');END IF;-- 2. Check for the character<<findchar>>ischar:=FALSE;FOR i IN 1..length(chararray) LOOP FOR j IN 1..m LOOP IF substr(password,j,1) = substr(chararray,i,1) THENischar:=TRUE;GOTO findpunct;END IF;END LOOP;END LOOP;IF ischar = FALSE THENraise_application_error(-20003, 'Password should contain at least one \digit, one character and one punctuation');END IF;-- 3. Check for the punctuation<<findpunct>>ispunct:=FALSE;FOR i IN 1..length(punctarray) LOOP FOR j IN 1..m LOOP IF substr(password,j,1) = substr(punctarray,i,1) THENispunct:=TRUE;GOTO endsearch;END IF;END LOOP;END LOOP;IF ispunct = FALSE THENraise_application_error(-20003, 'Password should contain at least one \digit, one character and one punctuation');END IF;<<endsearch>>-- Check if the password differs from the previous password by at least-- 3 lettersIF old_password IS NOT NULL THENdiffer := length(old_password) - length(password);IF abs(differ) < 3 THENIF length(password) < length(old_password) THENm := length(password);ELSEm := length(old_password);END IF;differ := abs(differ);FOR i IN 1..m LOOPIF substr(password,i,1) != substr(old_password,i,1) THENdiffer := differ + 1;END IF;END LOOP;IF differ < 3 THENraise_application_error(-20004, 'Password should differ by at \least 3 characters');END IF;END IF;END IF;-- Everything is fine; return TRUE ;   RETURN(TRUE);
END;
/GRANT EXECUTE ON verify_function TO PUBLIC;Rem *************************************************************************
Rem END Password Verification Functions
Rem *************************************************************************Rem *************************************************************************
Rem BEGIN Password Management Parameters
Rem *************************************************************************-- This script alters the default parameters for Password Management
-- This means that all the users on the system have Password Management
-- enabled and set to the following values unless another profile is
-- created with parameter values set to different value or UNLIMITED
-- is created and assigned to the user.-- Enable this if you want older version of the Password Profile parameters
-- ALTER PROFILE DEFAULT LIMIT
-- PASSWORD_LIFE_TIME 60
-- PASSWORD_GRACE_TIME 10
-- PASSWORD_REUSE_TIME 1800
-- PASSWORD_REUSE_MAX UNLIMITED
-- FAILED_LOGIN_ATTEMPTS 3
-- PASSWORD_LOCK_TIME 1/1440
-- PASSWORD_VERIFY_FUNCTION verify_function;

PASSWORD_VERIFY_FUNCTION（口令复杂性验证）相关推荐

关于动态口令的验证登陆
https://www.cnblogs.com/MacoLee/p/9446936.html 这是链接比较详细可以看一下. 这里通过FreeRadius+GoogleAuthenticator实现li ...
PHP密码复杂性验证,JS检查密码强度检查密码复杂度
$('#pass').keyup(function (e) { var strongRegex = new RegExp("^(?=.{8,})(?=.*[A-Z])(?=.*[a-z])( ...
ocp 042 第六章：管理用户安全性
相关术语数据库用户帐户:用来管理数据库对象的所有权和访问权限口令: Oracle 数据库使用的验证手段权限:执行特定类型的SQL 语句或访问其他用户的对象的权利角色:由相关权限组成的已命名组, ...
使用google身份验证器实现动态口令验证
最近有用户反应我们现有的短信+邮件验证,不安全及短信条数限制和邮件收验证码比较慢的问题,希望我们也能做一个类似银行动态口令的验证方式.经过对可行性的分析及慎重考虑,可以实现一个这样的功能. 怎么实现 ...
oracle 三个口令管理,Oracle学习笔记(12)口令和资源管理
口令和资源管理 1.Profiles: 概要文件,包含一些对口令和资源限制的一个命名的集合.通过CREATE USER 或 ALTER USER 命令来指定用户.它可以是enabled 或 disab ...
Oracle的口令文件(passwordfile)的讲解（摘录）
初学oracle,很多概念迷糊,今天看到这文章,让我有一个比较清晰的认识. 转载[url]http://www.itpub.net/viewthread.php?tid=906008&extr ...
Linux下基于密钥的安全验证实现方法
Linux下基于密钥的安全验证实现方法 -------OpenSSH+WinSCP+putty密钥生成器+putty 实验背景: 小诺公司目前已使用Linux搭建了各个服务器(FTP.DNS.Apac ...
dbsmp口令Oracle_ORACLE口令管理
口令文件介绍在ORALCE数据库系统中,用户如果要以特权用户身份(SYS/SYSDBA/SYSOPER)登录ORALCE数据库可以有两种身份验证的方法:即使用与操作系统集成的身份验证或使用ORALC ...
Oracle中的两种验证方式：操作系统验证和密码文件验证，通过操作系统验证的方式解决客户端登录不了数据的问题
Oracle验证两种方式,操作系统验证,密码文件验证启动密码文件验证如果数据库登录方式是操作系统验证sys登录不需要用户名和密码就可以登录 C:\Documents and Settings\ww ...

PASSWORD_VERIFY_FUNCTION（口令复杂性验证）

PASSWORD_VERIFY_FUNCTION（口令复杂性验证）

一、PASSWORD_VERIFY_FUNCTION参数语法：

二、Oracle数据库提供默认脚本中创建的两个例程

PASSWORD_VERIFY_FUNCTION（口令复杂性验证）相关推荐

最新文章

热门文章