Information
Default passwords should not be used by Oracle database users.
Default passwords should be considered "well known" to attackers. Consequently, if default passwords remain in place, any attacker with access to the database can authenticate as the user with that default password.
Solution
To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke.
- Manually issue the following SQL statement for each USERNAME returned in the Audit Procedure: PASSWORD <username>
- Execute the following SQL script to assign a randomly generated password to each account using a default password: begin for r_user in (select username from dba_users_with_defpwd where username not like '%XS$NULL%') loop DBMS_OUTPUT.PUT_LINE('Password for user '||r_user.username||' will be changed.'); execute immediate 'alter user "'||r_user.username||'" identified by "'|| DBMS_RANDOM.string('a',16)||'"account lock password expire'; end loop;end;
Note: Changing the default password for the 'SYS' account may require additional procedures.