C:\Users\LIUBINGLIN>sqlplus / as sysdba

SQL*Plus: Release 11.2.0.3.0 Production on 星期一 3月 25 22:53:24 2013

连接到:

Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - Production

With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> @?/rdbms/admin/utlpwdmg.sql

函数已创建。

配置文件已更改

函数已创建。

执行完utlpwdmg.sql脚本之后就启用了Oracle数据库密码复杂度验证规则，规则如下：

1.对于非从低版本数据库导入的用户，密码都严格区分大小写。

2.密码长度不能小于8个字符，不能超过30个字符。

3.密码不能与用户名相同，也不能是用户名倒着拼写，或者后面追加1-100。

4.密码不能与服务器名称相同，也不能是服务器名称后面追加1-100。

5.密码不能过于简单，例如：welcome1, database1, account1, user1234, password1, oracle, oracle123, computer1, abcdefg1, orchange_on_install。

6.密码不能是oracle，或者oracle后面追加1-100。

7.密码必须至少包含1个数字和1个字母。

8.新密码与老密码必须至少有3个字符不同。

9.密码的有效期是180天，延长期是7天。

10.如果一个用户连续输入密码10次都不正确，那么该用户将被锁定。

11.该策略设定之后，只在新创建用户和修改密码时开始验证，现有用户的密码可继续使用，为了安全起见，建议设置该策略后立即修改SYSTEM用户和所有业务系统用户的密码。

12.以上的规则对SYS用户无效（SYS是超级管理员用户，有单独文件保存密码，建议设置最为严格的密码）。

下面是一个测试例子：

SQL> alter user test identified by test123;

alter user test identified by test123

*

第 1 行出现错误:

ORA-28003: 指定口令的口令验证失败

ORA-20001: Password length less than 8

SQL> alter user test identified by test123123;

用户已更改。

SQL> create user test123123 identified by "321321tset";

create user test123123 identified by "321321tset"

*

第 1 行出现错误:

ORA-28003: 指定口令的口令验证失败

ORA-20003: Password same as username reversed

SQL> select profile,resource_name,limit from dba_profiles where profile='DEFAULT' and resource_name in ('PASSWORD_LIFE_TIME','PASSWORD_VERIFY_FUNCTION','PASSWORD_LOCK_TIME','PASSWORD_GRACE_TIME','PASSWORD_REUSE_MAX','PASSWORD_REUSE_TIME');

PROFILE RESOURCE_NAME LIMIT

-------------------- ------------------------------ --------------------

DEFAULT PASSWORD_LIFE_TIME 180

DEFAULT PASSWORD_REUSE_TIME UNLIMITED

DEFAULT PASSWORD_REUSE_MAX UNLIMITED

DEFAULT PASSWORD_VERIFY_FUNCTION VERIFY_FUNCTION_11G

DEFAULT PASSWORD_LOCK_TIME 1

DEFAULT PASSWORD_GRACE_TIME 7

已选择6行。

关于密码版本的问题：

SELECT USERNAME,PASSWORD_VERSIONS FROM DBA_USERS;

USERNAME                       PASSWORD_VERSIONS
------------------------------ -----------------
JONES                          10G 11G
ADAMS                          10G 11G
CLARK                          10G 11G
PRESTON                        11G
BLAKE                          10G

The passwords for accounts jones, adams, and clark were originally created in Release 10g and then reset in Release 11g. Their passwords, assuming case sensitivity has been enabled, are now case sensitive, as is the password for preston. However, the account for blake is still using the Release 10g standard, so it is case insensitive. Ask him to reset his password so that it will be case sensitive, and therefore more secure.

关于限制SYS用户的密码严格区分大小写：

orapwd file=orapw entries=100 ignorecase=n
Enter password for SYS: password

This creates a password file called orapwd. Because ignorecase is set to n (no), the password entered for the password parameter will be case sensitive. Afterwards, if you connect using this password, it succeeds—as long as you enter it using the exact case sensitivity in which it was created. If you enter the same password but with different case sensitivity, it will fail.

If you set ignorecase to y, then the passwords in the password file are case insensitive, which means that you can enter the password using any capitalization that you want.

If you imported user accounts from a previous release and these accounts were created with SYSDBA or SYSOPER privileges, then they will be included in the password file. The passwords for these accounts are case insensitive. The next time these users change their passwords, and assuming case sensitivity is enabled, the passwords become case sensitive. For greater security, have these users change their passwords.

更多详情，参考文档：http://docs.oracle.com/cd/E11882_01/network.112/e16543/authentication.htm#DBSEG33224

--end--

11gR2 Database用户密码复杂度验证