PASSWORD_VERIFY_FUNCTION（口令復雜性驗證）

在官方文檔中該參數的闡述：
PASSWORD_VERIFY_FUNCTION子句允許PL/SQL密碼復雜性驗證腳本作為參數傳遞給CREATEPROFILE語句

一、PASSWORD_VERIFY_FUNCTION參數語法：

語法：

ALTER PROFILE profile LIMIT{ resource_parameters | password_parameters } ...;

password_parameters 中 PASSWORD_VERIFY_FUNCTION 部分如下:

{| PASSWORD_VERIFY_FUNCTION{ function | NULL | DEFAULT } }

• 對于FUNCTION（函數）指定密碼復雜度驗證例程的名稱，該FUNCTION必須存在于SYS用戶中，并且您必須對該函數具有執行權限.
• 指定NULL表示未執行密碼驗證.

二、Oracle數據庫提供默認腳本中創建的兩個例程

Oracle數據庫提供默認腳本，在11g數據庫提供默認腳本中可以創建的兩個例程，但你也可以創建自己的例程或使用第三方軟件

1、verify_function_11G

- 密碼復雜度： 密碼必須至少包含一個數字，一個字符 密碼長度至少為8

2、verify_function

- 密碼復雜度： 密碼必須包含至少一個數字，一個字符和一個標點符號 密碼長度至少為4

3、執行腳本

$ cd $ORACLE_HOME $ sqlplus / as sysdba SQL> @?/rdbms/admin/utlpwdmg.sql Function created.Grant succeeded.Profile altered.Function created.Grant succeeded.SQL>

4、在profile中修改PASSWORD_VERIFY_FUNCTION（口令復雜性驗證）

1、查看當前開啟用戶及其profile select username,profile from dba_users where account_status='OPEN'; 2、使用缺省的profile-DEFAULT 修改口令復雜性驗證為 "VERIFY_FUNCTION_11G" 例程 #即：密碼必須至少包含一個數字，一個字符，密碼長度至少為8 alter profile DEFAULT limit PASSWORD_VERIFY_FUNCTION VERIFY_FUNCTION_11G; 3、使用缺省的profile-DEFAULT 修改口令復雜性驗證為 "verify_function" 例程 #即：密碼必須包含至少一個數字，一個字符和一個標點符號，密碼長度至少為4 alter profile DEFAULT limit PASSWORD_VERIFY_FUNCTION VERIFY_FUNCTION;4、關閉密碼口令復雜度認證 alter profile DEFAULT limit PASSWORD_VERIFY_FUNCTION null;

5、若自己有對密碼復雜度有其他需求，把 “utlpwdmg.sql” 腳本按需修改執行即可，原腳本內容如下：

Rem Rem $Header: rdbms/admin/utlpwdmg.sql /st_rdbms_11.2.0/1 2013/01/31 01:34:11 skayoor Exp $ Rem Rem utlpwdmg.sql Rem Rem Copyright (c) 2006, 2013, Oracle and/or its affiliates. Rem All rights reserved. Rem Rem NAME Rem utlpwdmg.sql - script for Default Password Resource Limits Rem Rem DESCRIPTION Rem This is a script for enabling the password management features Rem by setting the default password resource limits. Rem Rem NOTES Rem This file contains a function for minimum checking of password Rem complexity. This is more of a sample function that the customer Rem can use to develop the function for actual complexity checks that the Rem customer wants to make on the new password. Rem Rem MODIFIED (MM/DD/YY) Rem skayoor 01/17/13 - Backport skayoor_bug-14671375 from main Rem asurpur 05/30/06 - fix - 5246666 beef up password complexity check Rem nireland 08/31/00 - Improve check for username=password. #1390553 Rem nireland 06/28/00 - Fix null old password test. #1341892 Rem asurpur 04/17/97 - Fix for bug479763 Rem asurpur 12/12/96 - Changing the name of password_verify_function Rem asurpur 05/30/96 - New script for default password management Rem asurpur 05/30/96 - Created Rem-- This script sets the default password resource parameters -- This script needs to be run to enable the password features. -- However the default resource parameters can be changed based -- on the need. -- A default password complexity function is also provided. -- This function makes the minimum complexity checks like -- the minimum length of the password, password not same as the -- username, etc. The user may enhance this function according to -- the need. -- This function must be created in SYS schema. -- connect sys/<password> as sysdba before running the scriptCREATE OR REPLACE FUNCTION verify_function_11G (username varchar2,password varchar2,old_password varchar2)RETURN boolean IS n boolean;m integer;differ integer;isdigit boolean;ischar boolean;ispunct boolean;db_name varchar2(40);digitarray varchar2(20);punctarray varchar2(25);chararray varchar2(52);i_char varchar2(10);simple_password varchar2(10);reverse_user varchar2(32);BEGIN digitarray:= '0123456789';chararray:= 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';-- Check for the minimum length of the passwordIF length(password) < 8 THENraise_application_error(-20001, 'Password length less than 8');END IF;-- Check if the password is same as the username or username(1-100)IF NLS_LOWER(password) = NLS_LOWER(username) THENraise_application_error(-20002, 'Password same as or similar to user');END IF;FOR i IN 1..100 LOOPi_char := to_char(i);if NLS_LOWER(username)|| i_char = NLS_LOWER(password) THENraise_application_error(-20005, 'Password same as or similar to user name ');END IF;END LOOP;-- Check if the password is same as the username reversedFOR i in REVERSE 1..length(username) LOOPreverse_user := reverse_user || substr(username, i, 1);END LOOP;IF NLS_LOWER(password) = NLS_LOWER(reverse_user) THENraise_application_error(-20003, 'Password same as username reversed');END IF;-- Check if the password is the same as server name and or servername(1-100)select name into db_name from sys.v$database;if NLS_LOWER(db_name) = NLS_LOWER(password) THENraise_application_error(-20004, 'Password same as or similar to server name');END IF;FOR i IN 1..100 LOOPi_char := to_char(i);if NLS_LOWER(db_name)|| i_char = NLS_LOWER(password) THENraise_application_error(-20005, 'Password same as or similar to server name ');END IF;END LOOP;-- Check if the password is too simple. A dictionary of words may be-- maintained and a check may be made so as not to allow the words-- that are too simple for the password.IF NLS_LOWER(password) IN ('welcome1', 'database1', 'account1', 'user1234', 'password1', 'oracle123', 'computer1', 'abcdefg1', 'change_on_install') THENraise_application_error(-20006, 'Password too simple');END IF;-- Check if the password is the same as oracle (1-100)simple_password := 'oracle';FOR i IN 1..100 LOOPi_char := to_char(i);if simple_password || i_char = NLS_LOWER(password) THENraise_application_error(-20007, 'Password too simple ');END IF;END LOOP;-- Check if the password contains at least one letter, one digit -- 1. Check for the digitisdigit:=FALSE;m := length(password);FOR i IN 1..10 LOOP FOR j IN 1..m LOOP IF substr(password,j,1) = substr(digitarray,i,1) THENisdigit:=TRUE;GOTO findchar;END IF;END LOOP;END LOOP;IF isdigit = FALSE THENraise_application_error(-20008, 'Password must contain at least one digit, one character');END IF;-- 2. Check for the character<<findchar>>ischar:=FALSE;FOR i IN 1..length(chararray) LOOP FOR j IN 1..m LOOP IF substr(password,j,1) = substr(chararray,i,1) THENischar:=TRUE;GOTO endsearch;END IF;END LOOP;END LOOP;IF ischar = FALSE THENraise_application_error(-20009, 'Password must contain at least one \digit, and one character');END IF;<<endsearch>>-- Check if the password differs from the previous password by at least-- 3 lettersIF old_password IS NOT NULL THENdiffer := length(old_password) - length(password);differ := abs(differ);IF differ < 3 THENIF length(password) < length(old_password) THENm := length(password);ELSEm := length(old_password);END IF;FOR i IN 1..m LOOPIF substr(password,i,1) != substr(old_password,i,1) THENdiffer := differ + 1;END IF;END LOOP;IF differ < 3 THENraise_application_error(-20011, 'Password should differ from the \old password by at least 3 characters');END IF;END IF;END IF;-- Everything is fine; return TRUE ; RETURN(TRUE); END; /GRANT EXECUTE ON verify_function_11G TO PUBLIC;-- This script alters the default parameters for Password Management -- This means that all the users on the system have Password Management -- enabled and set to the following values unless another profile is -- created with parameter values set to different value or UNLIMITED -- is created and assigned to the user.ALTER PROFILE DEFAULT LIMIT PASSWORD_LIFE_TIME 180 PASSWORD_GRACE_TIME 7 PASSWORD_REUSE_TIME UNLIMITED PASSWORD_REUSE_MAX UNLIMITED FAILED_LOGIN_ATTEMPTS 10 PASSWORD_LOCK_TIME 1 PASSWORD_VERIFY_FUNCTION verify_function_11G;-- Below is the older version of the script-- This script sets the default password resource parameters -- This script needs to be run to enable the password features. -- However the default resource parameters can be changed based -- on the need. -- A default password complexity function is also provided. -- This function makes the minimum complexity checks like -- the minimum length of the password, password not same as the -- username, etc. The user may enhance this function according to -- the need. -- This function must be created in SYS schema. -- connect sys/<password> as sysdba before running the scriptCREATE OR REPLACE FUNCTION verify_function (username varchar2,password varchar2,old_password varchar2)RETURN boolean IS n boolean;m integer;differ integer;isdigit boolean;ischar boolean;ispunct boolean;digitarray varchar2(20);punctarray varchar2(25);chararray varchar2(52);BEGIN digitarray:= '0123456789';chararray:= 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';punctarray:='!"#$%&()``*+,-/:;<=>?_';-- Check if the password is same as the usernameIF NLS_LOWER(password) = NLS_LOWER(username) THENraise_application_error(-20001, 'Password same as or similar to user');END IF;-- Check for the minimum length of the passwordIF length(password) < 4 THENraise_application_error(-20002, 'Password length less than 4');END IF;-- Check if the password is too simple. A dictionary of words may be-- maintained and a check may be made so as not to allow the words-- that are too simple for the password.IF NLS_LOWER(password) IN ('welcome', 'database', 'account', 'user', 'password', 'oracle', 'computer', 'abcd') THENraise_application_error(-20002, 'Password too simple');END IF;-- Check if the password contains at least one letter, one digit and one-- punctuation mark.-- 1. Check for the digitisdigit:=FALSE;m := length(password);FOR i IN 1..10 LOOP FOR j IN 1..m LOOP IF substr(password,j,1) = substr(digitarray,i,1) THENisdigit:=TRUE;GOTO findchar;END IF;END LOOP;END LOOP;IF isdigit = FALSE THENraise_application_error(-20003, 'Password should contain at least one digit, one character and one punctuation');END IF;-- 2. Check for the character<<findchar>>ischar:=FALSE;FOR i IN 1..length(chararray) LOOP FOR j IN 1..m LOOP IF substr(password,j,1) = substr(chararray,i,1) THENischar:=TRUE;GOTO findpunct;END IF;END LOOP;END LOOP;IF ischar = FALSE THENraise_application_error(-20003, 'Password should contain at least one \digit, one character and one punctuation');END IF;-- 3. Check for the punctuation<<findpunct>>ispunct:=FALSE;FOR i IN 1..length(punctarray) LOOP FOR j IN 1..m LOOP IF substr(password,j,1) = substr(punctarray,i,1) THENispunct:=TRUE;GOTO endsearch;END IF;END LOOP;END LOOP;IF ispunct = FALSE THENraise_application_error(-20003, 'Password should contain at least one \digit, one character and one punctuation');END IF;<<endsearch>>-- Check if the password differs from the previous password by at least-- 3 lettersIF old_password IS NOT NULL THENdiffer := length(old_password) - length(password);IF abs(differ) < 3 THENIF length(password) < length(old_password) THENm := length(password);ELSEm := length(old_password);END IF;differ := abs(differ);FOR i IN 1..m LOOPIF substr(password,i,1) != substr(old_password,i,1) THENdiffer := differ + 1;END IF;END LOOP;IF differ < 3 THENraise_application_error(-20004, 'Password should differ by at \least 3 characters');END IF;END IF;END IF;-- Everything is fine; return TRUE ; RETURN(TRUE); END; /GRANT EXECUTE ON verify_function TO PUBLIC;Rem ************************************************************************* Rem END Password Verification Functions Rem *************************************************************************Rem ************************************************************************* Rem BEGIN Password Management Parameters Rem *************************************************************************-- This script alters the default parameters for Password Management -- This means that all the users on the system have Password Management -- enabled and set to the following values unless another profile is -- created with parameter values set to different value or UNLIMITED -- is created and assigned to the user.-- Enable this if you want older version of the Password Profile parameters -- ALTER PROFILE DEFAULT LIMIT -- PASSWORD_LIFE_TIME 60 -- PASSWORD_GRACE_TIME 10 -- PASSWORD_REUSE_TIME 1800 -- PASSWORD_REUSE_MAX UNLIMITED -- FAILED_LOGIN_ATTEMPTS 3 -- PASSWORD_LOCK_TIME 1/1440 -- PASSWORD_VERIFY_FUNCTION verify_function;

總結

以上是生活随笔為你收集整理的PASSWORD_VERIFY_FUNCTION（口令复杂性验证）的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。