Friday, April 1, 2011

Change their password upon first login/admin reset

Got a question today about password resets:

"I am trying to figure something out. How do we validate that Oracle forces the user to change their password upon first login/admin reset? I thought it was something in the profile options. Thank you for the help."

My response...
Inherent in the system. Can't be turned off. Not controlled by Profile Options.

There are a lot of risk involved with password resets. With plenty of hacking / backdoor access to the database and privileged users that have the ability to reset passwords, this should be a critical control for your organization. You need a policy and related procedures on how/when p/w resets can be requested and who can reset the p/w. Then, because of the risk, the process owner (system or security administrator, security auditor, etc) should regularly check with the owner of the accounts to make sure the p/w resets were valid and not some nefarious behavior.

My two cents FWIW.

Regards,
Jeffrey T. Hare, CPA CIA CISA

4 comments:

Anonymous said...

At our company, we have the workflow mailer send an email to the user indicating that their Oracle application password has been changed. Instructions to call our help desk are provided if the change was not authorized.

Jeffrey T. Hare, CPA CISA CIA said...

Good comment sent to me by Jim Teague:

I think you can validate this indirectly.

When user is first created by the Sys Admin, LAST_LOGON_DATE and PASSWORD_DATE in FND_USER table are blank. After the user logs in and changes their password, these values are populated.

You can also review the PASSWORD_LIFESPAN_DAYS and compare this with LAST_LOGON_DATE and PASSWORD_DATE to validate that the system is indeed forcing the user to change the password at the end of the Lifespan, and to validate that a lifespan is set for each user and it matches the company's policy. For example: SELECT USER_NAME, password_lifespan_days FROM FND_USER WHERE (PASSWORD_LIFESPAN_DAYS is null or PASSWORD_LIFESPAN_DAYS != 30)

Anonymous said...

Hi - I am definitely glad to discover this. Good job!

Anonymous said...

Hey - I am really delighted to discover this. Good job!