O121-C2-014400 - The DBMS must support organizational requirements to enforce password complexity by the number of special characters used.

Information

Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised.

Use of a complex password helps to increase the time and resources required to compromise the password.

Note that user authentication and account management must be done via an enterprise-wide mechanism whenever possible. Examples of enterprise-level authentication/access mechanisms include, but are not limited to, Active Directory and LDAP. This requirement applies to cases where it is necessary to have accounts directly managed by Oracle.

Solution

If all user accounts are authenticated by the OS or an enterprise-level authentication/access mechanism, and not by Oracle, no fix to the DBMS is required.

If any user accounts are managed by Oracle, develop, test, and implement a password verification function that enforces DOD requirements.

Oracle supplies a sample function called ORA12C_STRONG_VERIFY_FUNCTION. This can be used as the starting point for a customized function. The script file is found in the following location on the server depending on OS:

Windows:
%ORACLE_HOME%\RDBMS\ADMIN\catpvf.sql

UNIX/Linux:
$ORACLE_HOME/rdbms/admin/catpvf.sql

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Database_12c_V3R1_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)(a), CAT|II, CCI|CCI-004066, Rule-ID|SV-237731r998274_rule, STIG-ID|O121-C2-014400, STIG-Legacy|SV-76219, STIG-Legacy|V-61729, Vuln-ID|V-237731

Plugin: OracleDB

Control ID: dd903713063d76a4dcb477ad9a293bb9bdaef47538985aa2a8c2bd846a297cbe