4.4 Ensure Old Password Versions Are Not Used

Information

No password versions (hashes) prior to 12c should be allowed for user authentication.

Oracle 12c and later versions enforce stronger password hashing algorithms and complexity policies, enhancing security. Older password versions (pre-12c) are considered weak and do not meet modern security standards.Using outdated password versions increases the risk of password compromise.

Solution

Follow the process "Finding and Resetting User Passwords That Use the 10G Password Version" as outlined in the Oracle Database Upgrade Guide to reset affected user passwords and enforce 12c password versioning.

- Identify users with old password versions.
- Ensure that SQLNET.ALLOWED_LOGON_VERSION_SERVER is set to 12
- Reset their passwords using the ALTER USER command.

Impact:

Resetting user passwords without proper migration planning may result in application downtime or loss of access.

Users with passwords hashed in an older format will be required to reset their passwords. Limiting authentication to 12c password versions may impact connectivity from older clients that rely on deprecated authentication mechanisms. Applications using pre-12c authentication methods must be updated to support 12c or later password hashing mechanisms.

See Also

https://workbench.cisecurity.org/benchmarks/16474

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|14.8

Plugin: OracleDB

Control ID: b33cd720f868e714763703b46595e010fef683577172e72cdf6223b49d7f69b4