Thursday, May 28, 2009

Password Policies in Oracle E-Business Suite

One of my customers is challenging the possibility to enforce strong passwords in E-Business Suite (Release 12). Using the generic User Define Form you can define when a password expires, but that is more or less all you can do from that screen. In order to enforce an advanced Password Policy, you should go to the Profile Options:

Signon Password Failure Limit
The Signon Password Failure Limit profile option defines the maximum number of login attempts before the user’s account is disabled.

Signon Password Hard to Guess
Set this Profile Option to Yes to ensure that they will be "hard to guess."
A password is considered hard-to-guess if it meets this requirements:
• The password contains at least one letter and at least one number.
• The password does not contain the username.
• The password does not contain repeating characters.

Signon Password Length
Signon Password Length defines the minimum length of the password. Te default is 5 characters

Signon Password No Reuse
This profile option specifies the number of days before any previously given password can be reused.

Signon Password Case
Set this profile option to 'Sensitive' to make the password case sensitive (it defaults to 'Insensitive in 11i, apparently, it defaults to 'Sensitive' in R12.1.1).

In this example, Users will have to enter a case sensitive password, they are not allowed to enter more than 3 wrong passords, the password must be hard to guess (see above), the lenght is set to at least 8 characters and cannot be used again for at least a year after it has expired.

In the Define User screen we can set the Password Expiration to either
• Days (see example),
• Accesses (the number of logins) or
• None.

Combining the profile options with the Password Expiration will give you a robust password policy for Oracle E-Business Suite.

1 comment: