DG0126-ORACLE11 - Password reuse should be prevented where supported by the DBMS - 'No unlimited REUSE_MAX or REUSE_TIME for non DEFAULT profiles'

Information

Password reuse restrictions protect against bypass of password expiration requirements and help protect accounts from password guessing attempts. The DoDI 8500.2 specifies preventing password reuse to the extent system capabilities permit.

The PASSWORD_REUSE_MAX value specifies the number of password changes before a password can be reused. The PASSWORD_REUSE_TIME value specifies the length of time before a password can be reused.

Solution

Configure the DBMS to prevent password reuse by modifying Oracle profiles:

From SQL*Plus:

alter profile default limit
password_reuse_max 10
password_reuse_time UNLIMITED;

alter profile [profile name] limit
password_reuse_max default
password_reuse_time default;

Replace [profile name] with any existing, non-default profile names.

Where Host Authentication is used, configure the OS to prevent password reuse.

Consider configuring the DBMS to use alternate authentication methods other than password authentication where supported by the DBMS.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Database_11g_Y21M10_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)(e), CAT|II, Rule-ID|SV-24787r2_rule, STIG-ID|DG0126-ORACLE11, Vuln-ID|V-15633

Plugin: OracleDB

Control ID: f40913009f9094a07983917b9a0d95a3fc3e85458cfbb54255282c971201cf65