提升Oracle用户密码的安全性的技巧

环境：Oracle 11.2.0.4

客户需求：主要背景是数据库中有很多业务用户名，且由于部分用户缺乏安全意识，甚至直接将自己的密码设置为和用户名一样，目前客户期望密码设置不要过于简单，最起码别和用户名一致或相似就好。

1.官方解决方案
2.删减版解决方案
3.测试验证方案
4.用户最近一次的登录时间

1.官方解决方案

实际上Oracle提供有一个非常好用的安全校验函数，来提升用户密码的复杂性。这个在之前的文章《Oracle 11g 安全加固》中的“1.8.数据库密码安全性校验函数”章节就已经有了确切的解决方案,核心内容如下：
select limit from dba_profiles where profile='DEFAULT' and resource_name='PASSWORD_VERIFY_FUNCTION';

prompt =============================
prompt == 8.数据库密码安全性校验函数
prompt =============================
prompt 执行创建安全性校验函数的脚本
@?/rdbms/admin/utlpwdmg.sql
 
select limit from dba_profiles where profile='DEFAULT' and resource_name='PASSWORD_VERIFY_FUNCTION';

2.删减版解决方案

上面这个自带的安全性校验函数对检查过于严苛，而客户目前的需求就只有一个，不允许密码和用户名完全一样或过于相似就可以了。于是乎，我就从这个脚本中找到这项需求，把其他暂时不需要的部分全部去掉。这样，就得到了如下的删减版脚本：
Rem
Rem $Header: rdbms/admin/utlpwdmg1.sql /st_rdbms_11.2.0/1 2013/01/31 01:34:11 skayoor Exp $
Rem
Rem utlpwdmg.sql
Rem
Rem Copyright (c) 2006, 2013, Oracle and/or its affiliates.
Rem All rights reserved.
Rem
Rem    NAME
Rem      utlpwdmg.sql - script for Default Password Resource Limits
Rem
Rem    DESCRIPTION
Rem      This is a script for enabling the password management features
Rem      by setting the default password resource limits.
Rem
Rem    NOTES
Rem      This file contains a function for minimum checking of password
Rem      complexity. This is more of a sample function that the customer
Rem      can use to develop the function for actual complexity checks that the
Rem      customer wants to make on the new password.
Rem
Rem    MODIFIED  (MM/DD/YY)
Rem    skayoor    01/17/13 - Backport skayoor_bug-14671375 from main
Rem    asurpur    05/30/06 - fix - 5246666 beef up password complexity check
Rem    nireland    08/31/00 - Improve check for username=password. #1390553
Rem    nireland    06/28/00 - Fix null old password test. #1341892
Rem    asurpur    04/17/97 - Fix for bug479763
Rem    asurpur    12/12/96 - Changing the name of password_verify_function
Rem    asurpur    05/30/96 - New script for default password management
Rem    asurpur    05/30/96 - Created
Rem

-- This script sets the default password resource parameters
-- This script needs to be run to enable the password features.
-- However the default resource parameters can be changed based
-- on the need.
-- A default password complexity function is also provided.
-- This function makes the minimum complexity checks like
-- the minimum length of the password, password not same as the
-- username, etc. The user may enhance this function according to
-- the need.
-- This function must be created in SYS schema.
-- connect sys/<password> as sysdba before running the script

CREATE OR REPLACE FUNCTION verify_function_11G_WJZYY
(username varchar2,
  password varchar2,
  old_password varchar2)
  RETURN boolean IS
  n boolean;
  m integer;
  differ integer;
  isdigit boolean;
  ischar  boolean;
  ispunct boolean;
  db_name varchar2(40);
  digitarray varchar2(20);
  punctarray varchar2(25);
  chararray varchar2(52);
  i_char varchar2(10);
  simple_password varchar2(10);
  reverse_user varchar2(32);

BEGIN
  digitarray:= '0123456789';
  chararray:= 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';

  -- Check if the password is same as the username or username(1-100)
  IF NLS_LOWER(password) = NLS_LOWER(username) THEN
    raise_application_error(-20002, 'Password same as or similar to user');
  END IF;
  FOR i IN 1..100 LOOP
      i_char := to_char(i);
      if NLS_LOWER(username)|| i_char = NLS_LOWER(password) THEN
        raise_application_error(-20005, 'Password same as or similar to user name ');
      END IF;
    END LOOP;
   
  -- Everything is fine; return TRUE ; 
  RETURN(TRUE);
END;
/

GRANT EXECUTE ON verify_function_11G_WJZYY TO PUBLIC;