1.2 Ensure All Default Passwords Are Changed

Information

Default passwords should be considered 'well known' to attackers. Consequently, if default passwords remain in place any attacker with access to the database then has the ability to authenticate as the user with that default password. When default passwords are altered, this circumstance is mitigated.

Solution

To remediate this recommendation, you may perform either of the following actions. Manually issue the following SQL statement for each USERNAME returned in the Audit Procedure: PASSWORD <username> Execute the following SQL script to randomly assign passwords: begin for r_user in (select username from dba_users_with_defpwd where username not like '%XS$NULL%') loop DBMS_OUTPUT.PUT_LINE('Password for user '||r_user.username||' will be changed.'); execute immediate 'alter user ''||r_user.username||'' identified by ''||DBMS_RANDOM.string('a',16)||''account lock password expire'; end loop;end;/

See Also

https://workbench.cisecurity.org/files/601

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5c.

Plugin: OracleDB

Control ID: 838bc89bcbb421dac3604d4a01b92b885af6f4c54bc1268253354fbfb4d54447