What are the reasons behind Oracle password restrictions?

Question

Oracle presents a fairly restrictive password policy:

Passwords can be from 1 to 30 characters.

The first character in an Oracle password must be a letter.

Only letters, numbers, and the symbols “#”, “_” and “$” are acceptable in a password.

These kind of restrictions pass through to web applications sometimes - either because the system is Oracle backed, or a web developer has copied the rules. For example, the Virgin Media login: Virgin Media password policy .

With best practices dictating salting + hashing, hence no restriction on length or characters, why does Oracle do this? Are there technical reasons, or is it simply a legacy choice?

The restrictions could be because monkeys don't like water. (I'm in a hurry but I'm sure someone will post the link.) — TTT, Feb 19 '15 at 14:17

score 1 · Answer 1 · answered Feb 19 '15 at 10:07

1

I would say that other character might confuse Oracle parser. You use SQL change the password:

alter user xxx identified by pass;

There are NO quotes around the password. So I would say it is for legacy reasons. Oracle has same restrictions also for identifier/table/column names.

PS: password strength (entropy) is not primary determined by possible chars, but by it's length. In case of the password it's the length what matters.

answered Feb 19 '15 at 10:07

ibre5041

131
2

1

Isn't password entropy H = L*logN/log2? – Cybergibbons Feb 19 '15 at 10:32
see this xkcd comic strip: http://www.explainxkcd.com/wiki/index.php/936:_Password_Strength – ibre5041 Feb 19 '15 at 10:34
I don't agree that the strip supports the notion that password strength is more impacted by length than character set. It supports that a longer password that is memorable is better than a shorter one that isn't. Character set has more of an impact on entropy, and for brute forcing that is important. – Cybergibbons Feb 19 '15 at 10:54

What are the reasons behind Oracle password restrictions?

1 Answers1