How does profile limit for PASSWORD_REUSE_MAX works

5 pts.
Tags:
Oracle 9i
Oracle 9i Configuration
Oracle Database
Oracle Enterprise Database 9i
How does the profile limit for PASSWORD_REUSE_MAX works for Oracle Enterprise Database 9i ? Suppose we set PASSWORD_REUSE_MAX to 5 in a profile for a user. Now this user tries to change his password, then at that point how does Oracle engine checks if the new password the user is giving matches to any he has already used ? Does Oracle stores the old passwords somewhere in the dictionary to crosscheck. Can we see those old passwords. I know we can see the last password from USERS$ tables what about the older ones ?

Answer Wiki

Thanks. We'll let you know when a new response is added.

Any system that uses a Password Maximum Reuse limit maintains a history of previously used passwords (generally it is a hashed copy, not the password itself).
When you try to create a new password, it is run against the history list – if the new password matches one of the previous ones, it will be rejected.
The reuse limit is usually what determines the number of passwords maintained in the history.
Note that increasing the reuse limit usually only affects passwords changed since that point. For example, if the previous limit was 3 and you increased it to 5, a user could reuse a password they used 4 times ago, as the history at the time of the change was only 3 old passwords.
In Oracle, table sys.user_history$ contains the password history information for each user, including the last change date/time. Note that this table will be empty unless the maximum reuse limit has been set.

Note that access to this table (and any other table containing security access related data) should be severely restricted, as if a user can query the table data, it is possible to construct a brute force password cracker by trying lots of passwords and seeing if they hit the hashed value.

Discuss This Question:  

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following