Friday, April 1, 2011

Change their password upon first login/admin reset

Got a question today about password resets:

"I am trying to figure something out. How do we validate that Oracle forces the user to change their password upon first login/admin reset? I thought it was something in the profile options. Thank you for the help."

My response...
Inherent in the system. Can't be turned off. Not controlled by Profile Options.

There are a lot of risk involved with password resets. With plenty of hacking / backdoor access to the database and privileged users that have the ability to reset passwords, this should be a critical control for your organization. You need a policy and related procedures on how/when p/w resets can be requested and who can reset the p/w. Then, because of the risk, the process owner (system or security administrator, security auditor, etc) should regularly check with the owner of the accounts to make sure the p/w resets were valid and not some nefarious behavior.

My two cents FWIW.

Jeffrey T. Hare, CPA CIA CISA