Pete Finnigan's Oracle Security Forum (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
Oracle Security >> Oracle Express Security >> password for SYS and SYSTEM
(Message started by: Pete Finnigan on Nov 7th, 2005, 8:18pm)

Title: password for SYS and SYSTEM
Post by Pete Finnigan on Nov 7th, 2005, 8:18pm
Even though my first attempt to install Oracle Express (XE) failed abysmally - I talked about this in another thread - I did find out one slight security issue. When prompted to add a password for the users SYS and SYSTEM I was able to use the age old default of MANAGER. I was disappointed to see this as in later versions of the main database product you cannot do this.

cheers

Pete

Title: Re: password for SYS and SYSTEM
Post by Pete Finnigan on Nov 8th, 2005, 9:43pm
Disappointing but....
Old hands who remember system/manager should know enough not to use it.
New hands who don't probably wouldn't use it, and if they tried, might get confused why this word (out of all others) is rejected.

Now if there was a default password policy to make all passwords at least eight characters then it wouldn't be an issue.

Title: Re: password for SYS and SYSTEM
Post by Pete Finnigan on Nov 9th, 2005, 9:20am
Hi Gary,

Yes I agree. My reason for noting it here is that it is a backwards step from what we had in the standard / enterprise editions of 10g.

I agree, two steps could be made, one force passwords to be longer than 8 characters and also check that they are not set to any known default or dictionary word. Both of these steps can easily be acheived with a password verification function.

cheers

Pete



Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board