Home

About Me
Blog
Projects
Awards
Publications
Volunteer

Enforcing Password Strength and Profile Settings in Amazon RDS for Oracle

Arvind Toorpu
2–4 minutes

Enforcing Password Strength and Profile Settings in Amazon RDS for Oracle

Managing the security of database users is essential for safeguarding sensitive data. Amazon RDS for Oracle provides tools and procedures to enforce password strength and manage profile settings effectively. This article outlines the process of creating custom password policies, setting up profiles, and managing password encryption for Oracle users on Amazon RDS.

Profiles and Password Management in Oracle

Oracle Database uses profiles to enforce resource limits and password policies for user accounts. With Amazon RDS, you can create and customize profiles and leverage custom password verification functions to enforce robust password policies.

Setting Up Custom Password Verification

Amazon RDS for Oracle supports the rdsadmin.rdsadmin_password_verify.create_verify_function procedure to create password verification functions. These functions enforce specific password requirements for database users.

Parameters of create_verify_function

The create_verify_function procedure allows you to specify password rules. Below are the parameters:

ParameterTypeDefaultDescription
p_verify_function_namevarchar2The name of the custom function (required).
p_min_lengthnumber8Minimum password length.
p_max_lengthnumber256Maximum password length.
p_min_lettersnumber1Minimum number of letters.
p_min_uppercasenumber0Minimum number of uppercase letters.
p_min_lowercasenumber0Minimum number of lowercase letters.
p_min_digitsnumber1Minimum number of digits.
p_min_specialnumber0Minimum number of special characters.
p_min_different_charsnumber3Minimum different characters from the old password.
p_disallow_usernamebooleantrueDisallow the username in the password.
p_disallow_reversebooleantrueDisallow the reverse of the username.
p_disallow_db_namebooleantrueDisallow the database or server name.
p_disallow_simple_stringsbooleantrueDisallow simple strings as passwords.
p_disallow_whitespacebooleanfalseDisallow whitespace characters in the password.
p_disallow_at_signbooleanfalseDisallow the @ character in the password.

Example: Creating a Custom Password Verification Function

The following example creates a password verification function named CUSTOM_PASSWORD_FUNCTION with specific password policies:

BEGIN
    rdsadmin.rdsadmin_password_verify.create_verify_function(
        p_verify_function_name => 'CUSTOM_PASSWORD_FUNCTION', 
        p_min_length           => 12, 
        p_min_uppercase        => 2, 
        p_min_digits           => 1, 
        p_min_special          => 1, 
        p_disallow_at_sign     => true
    );
END;
/

This function enforces:

  • A minimum password length of 12 characters.
  • At least 2 uppercase letters, 1 digit, and 1 special character.
  • Disallowing the @ character in passwords.

Viewing and Managing Custom Password Functions

  • To view the contents of a password function, query the DBA_SOURCE view:
COL TEXT FORMAT a150

SELECT TEXT 
  FROM DBA_SOURCE 
 WHERE OWNER = 'SYS' 
   AND NAME = 'CUSTOM_PASSWORD_FUNCTION' 
 ORDER BY LINE;
  • To assign the function to a user profile, use the ALTER PROFILE command:
sqlCopyEditALTER PROFILE DEFAULT LIMIT PASSWORD_VERIFY_FUNCTION CUSTOM_PASSWORD_FUNCTION;
  • To check which profiles are associated with a specific verification function, query the DBA_PROFILES view:
SELECT * 
  FROM DBA_PROFILES 
 WHERE RESOURCE_NAME = 'PASSWORD' 
   AND LIMIT = 'CUSTOM_PASSWORD_FUNCTION';

Setting and Managing Password Encryption

Password encryption is another critical layer of security. Oracle RDS supports encrypted password storage using Oracle’s native capabilities.

Steps to Enable Password Encryption:

  1. Ensure Database Compatibility: Verify that your database supports the SHA-2 hashing algorithm for password encryption.
  2. Set Encryption Algorithm:
    • Use the PASSWORD_VERSION parameter in Oracle to determine which encryption algorithms are enabled.
    • Modify the parameter as required using SQL:
sqlCopyEditALTER SYSTEM SET SEC_CASE_SENSITIVE_LOGON = TRUE;
  1. Enforce Password Expiry: Rotate passwords regularly to minimize risks.

Best Practices for Password Security in RDS

  1. Enable Strong Password Policies: Use custom password verification functions to enforce complexity rules.
  2. Regularly Audit Profiles: Periodically review profiles to ensure compliance with security standards.
  3. Automate Monitoring: Use Amazon RDS event notifications to alert administrators about security violations, such as repeated failed login attempts.
  4. Restrict Access: Limit privileged account access to reduce the risk of compromised credentials.

Conclusion

Enforcing password strength and managing user profiles in Amazon RDS for Oracle helps protect sensitive data and ensures compliance with organizational security policies. By leveraging Oracle’s profile management features and Amazon RDS procedures like create_verify_function, you can define robust password policies tailored to your environment’s needs.

Hello,

Arvind Toorpu

I am a Database Admin/Architect with over 14+ years of experience managing multiple DBMS systems

Let’s connect

Join the fun!

Stay updated with our latest tutorials and ideas by joining our newsletter.

Recent posts