Skip to main content
๐Ÿ““ Tibero Online Manual Click here ๐Ÿ““

Search

Welcome to Tibero GTS!

Security Vulnerability Account Management - Setting Password Usage Period and Complexity

Document Type | Technical Information

Category | Security

Applicable Product Versions | Tibero6, Tibero7

Document Number | TSETI013

 

Overview

CategoryCheck ItemsImportanceCode
Account ManagementChange default account passwords, privileges, etc. before useHighD-01
Remove unnecessary database accounts or lock them before useHighD-02
Set password usage period and complexity according to organizational policyHighD-03
Grant database administrator privileges only to necessary accounts and groupsHighD-04
Set restrictions on password reuseMediumD-12
Assign DB user accounts individuallyMediumD-13
Critical Information and Communications Infrastructure - Detailed Guide for Technical Vulnerability Analysis and Evaluation (2021.03.)

This document describes the security vulnerability countermeasures for the item "Account Management - Setting Password Usage Period and Complexity According to Organizational Policy (D-03)".

 

Inspection Content and Purpose

  • Check whether password usage period and complexity settings are applied according to organizational policy.
  • Verify the presence of password usage period and complexity settings to ensure preparedness against unauthorized password guessing attacks (such as brute force attacks, dictionary attacks, etc.).

 

Inspection Criteria

CriteriaDetails
GoodPassword usage period and complexity settings are applied according to organizational policy.
VulnerablePassword usage period and complexity settings are not applied according to organizational policy.
Critical Information and Communications Infrastructure - Detailed Guide for Technical Vulnerability Analysis and Evaluation (2021.03.)

 

Precautions Before Action

Check Default Account List

The default accounts created during Tibero installation are as follows. Accounts may be added or removed depending on the DB version.

Account NamePasswordRemarks
SYStiberoAccount cannot be deleted
SYSCATsyscatAccount cannot be deleted
SYSGISsysgisAccount cannot be deleted
OUTLNoutlnAccount cannot be deleted
TIBEROtmaxAccount can be deleted
TIBERO1tmax

Account can be deleted

Does not exist from version T7 and above

SYSBACKUPtibero

Account cannot be deleted

Exists in some T6FS07 versions (patch 301647 available) and from T7 version and above

LBACSYSlbacsys

Account cannot be deleted

Exists from T7 version and above

 

Periodic Password Changes

When setting a password usage period, passwords must be changed periodically. Confirm in advance the DB accounts used in linked systems to ensure password changes are also applied in those systems.

 

Password Usage Period and Complexity

These are the settings related to password usage period and complexity.

CategoryDescription
FAILED_LOGIN_ATTEMPTSLocks the account if the password is entered incorrectly more times than the set value
PASSWORD_LOCK_TIME

Unlocks the account after N hours from the lock

e.g., setting 1/1440 unlocks automatically after 1 minute

PASSWORD_LIFE_TIME

Sets password expiration period. Password expires after the set duration.

e.g., setting 30 expires after 30 days

e.g., setting 1/1440 expires after 1 minute

PASSWORD_REUSE_TIME

Sets the period during which password reuse is prohibited

e.g., setting 30 disallows changing back to the same password within 30 days

PASSWORD_REUSE_MAX

Prohibits reuse of the most recently changed passwords up to the set number

e.g., setting 10 disallows reuse of the same password for 10 changes; use a different password

PASSWORD_GRACE_TIME

Sets the warning period after password expiration. Password expiration warnings only work on tbsql; other connection methods (OCI, JDBC, etc.) return a password expiration error.

e.g., PASSWORD_LIFE_TIME 30, PASSWORD_GRACE_TIME 3 causes a password expiration warning for 3 days starting from the first login after 30 days

PASSWORD_VERIFY_FUNCTION

Specifies a function to validate the password string when changing the password

By default, the NULL_VERIFY_FUNCTION is applied

FunctionDescription
VERIFY_FUNCTION

- Password length must be at least 4 characters

- Password must include at least one number, one letter, and one special character

- Password must be different from the username

- Password must not be an easily guessable word

- Predefined words ('welcome', 'database', 'account', 'user', 'password', 'tibero', 'computer', 'abcd') are not allowed

- Password must differ from the immediately previous password by at least 3 characters

VERIFY_FUNCTION2

- Password length must be at least 8 characters

- Password must include at least one number and one letter

- Password cannot include the username

- Password cannot include the username in reverse order

- Password cannot include the DB name

- Password must not include easily guessable words

- Predefined words ('welcome', 'database', 'account', 'user', 'password', 'tibero', 'computer', 'abcd') are not allowed

- Password must differ from the immediately previous password by at least 3 characters

* Available on T6 with patch 258810a or T7 and above

NULL_VERIFY_FUNCTIONNo restrictions on the password
LOGIN_PERIODIf set, the account is locked after the specified time has passed since the last login

 

 

Method

Settings

  • Check profiles
set lines 400
col profile for a20
col resource_name for a30
col resource_type for a20
col limit for a20
select * from dba_profiles where RESOURCE_TYPE = 'PASSWORD';

PROFILE              RESOURCE_NAME                  RESOURCE_TYPE        LIMIT
-------------------- ------------------------------ -------------------- --------------------
DEFAULT              FAILED_LOGIN_ATTEMPTS          PASSWORD             UNLIMITED
DEFAULT              PASSWORD_LIFE_TIME             PASSWORD             UNLIMITED
DEFAULT              PASSWORD_REUSE_TIME            PASSWORD             UNLIMITED
DEFAULT              PASSWORD_REUSE_MAX             PASSWORD             UNLIMITED
DEFAULT              PASSWORD_VERIFY_FUNCTION       PASSWORD             NULL_VERIFY_FUNCTION
DEFAULT              PASSWORD_LOCK_TIME             PASSWORD             1
DEFAULT              PASSWORD_GRACE_TIME            PASSWORD             UNLIMITED
DEFAULT              LOGIN_PERIOD                   PASSWORD             UNLIMITED

8 rows selected.

 

  • Create profile
CREATE PROFILE [ProfileName] LIMIT
FAILED_LOGIN_ATTEMPTS [Value]
PASSWORD_LOCK_TIME [Value]
PASSWORD_LIFE_TIME [Value]
PASSWORD_REUSE_TIME [Value]
PASSWORD_REUSE_MAX [Value]
PASSWORD_GRACE_TIME [Value]
PASSWORD_VERIFY_FUNCTION [Value];

ex) CREATE PROFILE prof LIMIT
failed_login_attempts 3
password_lock_time 1/1440
password_life_time 90
password_reuse_time unlimited
password_reuse_max 10
password_grace_time 10
password_verify_function verify_function;

 

  • Check profile
set lines 400
col profile for a20
col resource_name for a30
col resource_type for a20
col limit for a50
select * from dba_profiles where RESOURCE_TYPE = 'PASSWORD';

PROFILE              RESOURCE_NAME                  RESOURCE_TYPE        LIMIT
-------------------- ------------------------------ -------------------- --------------------
DEFAULT              FAILED_LOGIN_ATTEMPTS          PASSWORD             UNLIMITED
DEFAULT              PASSWORD_LIFE_TIME             PASSWORD             UNLIMITED
DEFAULT              PASSWORD_REUSE_TIME            PASSWORD             UNLIMITED
DEFAULT              PASSWORD_REUSE_MAX             PASSWORD             UNLIMITED
DEFAULT              PASSWORD_VERIFY_FUNCTION       PASSWORD             NULL_VERIFY_FUNCTION
DEFAULT              PASSWORD_LOCK_TIME             PASSWORD             1
DEFAULT              PASSWORD_GRACE_TIME            PASSWORD             UNLIMITED
DEFAULT              LOGIN_PERIOD                   PASSWORD             UNLIMITED
PROF                 FAILED_LOGIN_ATTEMPTS          PASSWORD             3
PROF                 PASSWORD_LIFE_TIME             PASSWORD             90
PROF                 PASSWORD_REUSE_TIME            PASSWORD             UNLIMITED
PROF                 PASSWORD_REUSE_MAX             PASSWORD             10
PROF                 PASSWORD_VERIFY_FUNCTION       PASSWORD             VERIFY_FUNCTION
PROF                 PASSWORD_LOCK_TIME             PASSWORD             .000694444444444444444444444444444444444
444
PROF                 PASSWORD_GRACE_TIME            PASSWORD             10
PROF                 LOGIN_PERIOD                   PASSWORD             UNLIMITED

16 rows selected.

 

  • Check profile per account
set lines 400
col username for a30
col profile for a30
SELECT USERNAME,PROFILE FROM DBA_USERS;

USERNAME                       PROFILE
------------------------------ ------------------------------
SYS
TIBERO
SYSCAT
SYSGIS
OUTLN
TIBERO1
P_TEST
PROSYNC

8 rows selected.

 

  • Set profile per account
ALTER USER [USERNAME] PROFILE [ProfileName];

ex) alter user sys profile prof;

 

  • Verify profile setting per account
SELECT USERNAME,PROFILE FROM DBA_USERS;

USERNAME                       PROFILE
------------------------------ ------------------------------
SYS                            PROF
TIBERO                         PROF
SYSCAT                         PROF
SYSGIS                         PROF
OUTLN                          PROF
TIBERO1                        PROF
P_TEST                         PROF
PROSYNC                        PROF

8 rows selected.

 

Revert

  • Revert profile per account

If the default profile settings were not changed, assign the default profile.

ALTER USER [USERNAME] PROFILE [ProfileName];

ex) alter user sys profile default;

 

  • Revert specific RESOURCE information only
ALTER PROFILE [ProfileName] LIMIT [RESOURCE NAME] [Value];

ex) ALTER PROFILE prof LIMIT PASSWORD_VERIFY_FUNCTION NULL_VERIFY_FUNCTION;