RE: Password Change Date

RE: Password Change Date

 

  

Gilson,

99% of the time, I think your answer is spot on.

In general, I was trying to point out a potential "gotcha" in that
SQL*Plus and some applications handles the grace period automatically
while other applications do not. I've seen folks get themselves into
trouble because the DBA's were testing password expiration in dev & test
and the applications they used handled everything gracefully and
automatically, so they assumed that Oracle was handling the grace period
automatically. When they move to the production environment, the
applications normal users use handled things much less gracefully,
causing great pain.

So long as everyone is aware that it's individual applications, not
Oracle, that tell users that their password is about to expire, etc.,
they can put whatever sort of notification program they need together so
that users don't get surprised by password expiration.

The original poster also made a comment about not wanting to lock users
out that I wanted to follow up on. There may be situations where, for
example, a password is used by some automated processes. If you need to
ensure that these processes continue running normally even if the
password maintenance task slips, you may need to roll your own solution
that could involve the DBA visiting someone's cube on the 31st day and
not so gently asking why the password didn't get changed.

Justin Cave
Distributed Database Consulting, Inc.
http://www.ddbcinc.com/askDDBC

-----Original Message-----
From: Gilson Sirvas
[mailto:oracledba-ezmlmshield-x36320112.[Email address protected]
Sent: Wednesday, May 04, 2005 3:09 PM
To: LazyDBA Discussion
Subject: RE: Password Change Date

Hi,

Just curious, What your solution for this requirement would be Justin?

I'm going to stay with mine and add that, when you asign a profile to a
user and you have defined password management parameters (at least
PASSWORD_LIFE_TIME) before, immediately the EXPIRY_DATE column in
dba_users view is populated with the date when the password fot the
account will expire, actually this date shows that the password already
has expired so the user should change the password immediately. With
this in mind, if you application is not able to receive the message from
the database server now you can create a litle procedure, which now is
able to extract information on password expiration dates from dba_users,
to send an email or do whatever you want to do.

Hope this helps.
Gilson

----- Original Message -----
From: "Justin Cave (DDBC) " <oracledba-ezmlmshield-x20618497.[Email
address protected]
To: "LazyDBA Discussion" <[Email address protected]
Subject: RE: Password Change Date
Date: Wed, 4 May 2005 02:20:18 -0600
>
> First, note that not all applications report the warning that
indicates
> a password is about to expire. If users are connecting via SQL*Plus,
> they'll get the warning; if they are logging in using some other
> application, they may or may not get a warning. That's something that
> you generally have to test and which can frequently be a pain.
>
> Second, what would you want to happen if they ignored the password
> change request? If they got the friendly reminder (either from the
> application, via email, or some other means) and they don't change the
> password, what then? Do you want to lock them out? Or keep hounding
> them to change the password?
>
> Justin Cave
> Distributed Database Consulting, Inc.
> http://www.ddbcinc.com/askDDBC
>
> -----Original Message-----
> From: Gilson Sirvas
> [mailto:oracledba-ezmlmshield-x64630556.[Email address protected]
> Sent: Tuesday, May 03, 2005 5:43 PM
> To: LazyDBA Discussion
> Subject: Re: Password Change Date
>
> Hi,
>
> I would use a profile and use PASSWORD_GRACE_TIME parameter to define
a
> grace period. In this way, every time the user logs in the system,
> he/she will receive an alert, remminding to change their password.
>
> Hope this helps.
> Gilson
>
>
> ----- Original Message -----
> From: "Ilseman Jeffrey A " <oracledba-ezmlmshield-x20742434.[Email
> address protected]
> To: "LazyDBA Discussion" <[Email address protected]
> Subject: Password Change Date
> Date: Tue, 3 May 2005 15:59:18 -0500
>
> >
> > Is there a way to determine the date/time when a particular user's
> > password was last changed?
> >
> > I want to have certain users change their password every 90 days,
but
> I
> > do not want to set an expiration date and lock them out.
> >
> >
> >
> > Knowing when they last changed it, I could script a "friendly"
> reminder
> > a week or two out.
> >
> >
> >
> > Jeff Ilseman
> >
> > 314.554.2623
> >
> >
> >
> >
> >
> > *******************************
> > The information contained in this message may be privileged
> > and/or confidential and
> > protected from disclosure. If the reader of this message is not
> > the intended recipient,
> > or an employee or agent responsible for delivering this message
> > to the intended recipient,
> > you are hereby notified that any dissemination, distribution or
> > copying of this
> > communication is strictly prohibited. Note that any views or
> > opinions presented in this
> > message are solely those of the author and do not necessarily
> > represent those of Ameren.
> > All emails are subject to monitoring and archival. Finally, the
> > recipient should check
> > this message and any attachments for the presence of viruses.
> > Ameren accepts no liability
> > for any damage caused by any virus transmitted by this email. If
> > you have received this in
> > error, please notify the sender immediately by replying to the
> > message and deleting the
> > material from any computer. Ameren Corporation
> > *******************************
> >
> >
> >
> >
> > --------
> > website: http://www.LazyDBA.com
> > Please don't reply to RTFM questions
> > Oracle documentation is here: http://tahiti.oracle.com
> > To unsubscribe: see http://www.lazydba.com/unsubscribe.html
> > To subscribe: see http://www.lazydba.com
> > By using this list you agree to these
> terms:http://www.lazydba.com/legal.html
>
> --
> ___________________________________________________________
> Sign-up for Ads Free at Mail.com
> http://promo.mail.com/adsfreejump.htm
>
>
>
> --------
> website: http://www.LazyDBA.com
> Please don't reply to RTFM questions
> Oracle documentation is here: http://tahiti.oracle.com
> To unsubscribe: see http://www.lazydba.com/unsubscribe.html
> To subscribe: see http://www.lazydba.com
> By using this list you agree to these
> terms:http://www.lazydba.com/legal.html
>
>
>
> --------
> website: http://www.LazyDBA.com
> Please don't reply to RTFM questions
> Oracle documentation is here: http://tahiti.oracle.com
> To unsubscribe: see http://www.lazydba.com/unsubscribe.html
> To subscribe: see http://www.lazydba.com
> By using this list you agree to these
terms:http://www.lazydba.com/legal.html

--
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm



--------
website: http://www.LazyDBA.com
Please don't reply to RTFM questions
Oracle documentation is here: http://tahiti.oracle.com
To unsubscribe: see http://www.lazydba.com/unsubscribe.html
To subscribe: see http://www.lazydba.com
By using this list you agree to these
terms:http://www.lazydba.com/legal.html


Oracle LazyDBA home page