Database Password Security Settings
You can manage password security in the by using a variety of settings and managing user states.
includes password security settings to meet specific security requirements or preferences. Five settings are available to configure your password security.
Security Setting | Description |
|---|---|
password_minimum_length | The minimum length of passwords. The maximum password length supported by the Ocient System is 32. |
password_complexity_level | An integer value representing the password complexity algorithm. Supported values are: 1 — Level 1. The password must contain at least one upper case character, lower case character, and number. 2 — Level 2. In addition to the requirements specified in level 1, the password must contain at least one non-alphanumeric character. |
password_no_repeat_count | The number of unique passwords that a user must use before they can reuse a password. |
password_lifetime_days | The password must be changed after this number of days. After the password is older than this period, the user changes to the PASSWORD_EXPIRED state on their next login. |
password_invalid_attempt_limit | The number of login attempts with an invalid password before a user changes to the DISABLED state. |
A value of 0 for any of these settings means that the system ignores that setting.
You can set all these settings at the system, database, or group levels. The Ocient System uses the most restrictive value. For example, if password_minimum_length is 8 at the system level, 10 at the database level, and 12 at the group level, the system applies the value 12 to the user.
You can only add a user to a group after you create the user in the system. Upon user creation, password_minimum_length, password_complexity_level, and password_no_repeat_count settings are based only on system- and database-level settings.
The sys.security_settings system catalog table shows current security settings. The table contains settings for only databases and groups if any settings are non-zero.
After setting the password_invalid_attempt_limit value, you can inspect the value using the sys.security_settings system catalog table.
The sys.users system catalog table contains information about users, their current state, and details about their security status, such as the last time the password was updated or the number of failed login attempts.
Ocient local users, not SSO-based users, are in one of these states:
- ENABLED
- DISABLED
- PASSWORD_EXPIRED
Enabled users have normal access privileges to the system. They can connect and execute SQL statements. This state is the default state for all users.
A disabled user cannot connect to the system, and if they are currently connected, they cannot execute any SQL statements. Users become disabled automatically if they exceed the password_invalid number of failed password attempts.
An administrator must set the state of the user to ENABLED for the user to resume access.
This state enables a user to log on. However, the only SQL statement they can execute is ALTER USER <example_user> SET PASSWORD='yyyy'. The user receives a warning that their password is expired when they authenticate.
Whenever the password_lifetime_days number of days has elapsed after the last time the password changed, the system automatically transitions a user to the PASSWORD_EXPIRED state on their next login.
You can inspect the last password change timestamp in the password_updated_at column in the sys.users system catalog table.
To change the state of the user to these different states, use the ALTER USER SQL statement.
ALTER USER