Syllabus
Schedule
Reading
Discussion
Project
Test
Resource
Tip

Additional Notes for Password Complexity

If you like your password to be more complex than the example in your textbook (pp 109-110), you may use this example as a reference to modify your policy. In the following example, the password complexity verification routine ensures that the password meets the following requirements:

  • Is at least four characters long

  • Differs from the user name

  • Has at least one alpha, one numeric, and one punctuation mark character

  • Is not simple or obvious, such as welcome , account , oracle, database , or user

  • Differs from the previous password by at least 3 characters

The sample code will help you accomplish the above policy specification. Of course, in your implementation, you may change it to meet the needs and policy of your organization. When you are ready to look at the sample code, click here to download.

After downloading, you may examine the file to see what it will do on your Oracle database system. Modify it and check it again before you run it.

 

For Your Information (FYI)::

CORPORATE DIRECTIVE NUMBER 88-570471

In order to increase the security of all company computing facilities, and to avoid the possibility of unauthorized use of these facilities, new rules are being put into effect concerning the selection of passwords. All users of computing facilities are instructed to change their passwords to conform to these rules immediately.

RULES FOR THE SELECTION OF PASSWORDS:

1. A password must be at least six characters long, and must not contain two occurrences of a character in a row, or a sequence of two or more characters from the alphabet in forward or reverse order. Example: HGQQXP is an invalid password. GFEDCB is an invalid password.

2. A password may not contain two or more letters in the same position as any previous password. Example: If a previous password was GKPWTZ, then NRPWHS would be invalid because PW occurs in the same position in both passwords.

3. A password may not contain the name of a month or an abbreviation for a month. Example: MARCHBC is an invalid password. VWMARBC is an invalid password.

4. A password may not contain the numeric representation of a month. Therefore, a password containing any number except zero is invalid. Example: WKBH3LG is invalid because it contains the numeric representation for the month of March.

5. A password may not contain any words from any language. Thus, a password may not contain the letters A, or I, or sequences such as AT, ME, or TO because these are all words.

6. A password may not contain sequences of two or more characters which are adjacent to each other on a keyboard in a horizontal, vertical, or diagonal direction. Example: QWERTY is an invalid password. GHNLWT is an invalid password because G and H are horizontally adjacent to each other. HUKWVM is an invalid password because H and U are diagonally adjacent to each other.

7. A password may not contain the name of a person, place, or thing. Example: JOHNBOY is an invalid password.

Because of the complexity of the password selection rules, there is actually only one password which passes all the tests. To make the selection of this password simpler for the user, it will be distributed to all supervisors. All users are instructed to obtain this password from his or her supervisor and begin using it immediately.

Zach Hayes (Class of Fall 2010)