Setting User Password Requirements in Oracle Applications

Setting User Password Requirements in Oracle Applications

This post describes the optimal security in login password usage using below Below Profile settings in Oracle Application R12:

1.       Setting Password Case Sensitivity Requirement

2.       Setting Password Length Requirement

3.       Setting Hard to Guess Requirement

4.       Enabling Forgot Your Password Functionality

5.       Setting Login Attempt Limits

6.       Setting Time Limit after Resetting Password

1. Setting Password Case Sensitivity

Profile Option Name “Signon Password Case”

This profile determines whether the User Passwords can be treated as case sensitive / insensitive. Based on the profile option – Values defined.

a. Sensitive: All newly created or changed passwords are treated as case sensitive.
b. Insensitive: Passwords are treated as case insensitive.

Note: Passwords for existing user accounts must be reset after you change this setting.

2. Setting Password Length Requirement

Profile Option Name “Signon Password Length”

This profile determines the minimum number of characters required in a user password. The default setting is 5. Oracle recommends a setting of 8 or more.

3. Setting Hard to Guess Requirement

Profile Option Name “Signon Password Hard To Guess”

This profile enforces requirements that make it more difficult to guess what another user's password might be. These requirements come as a package; you must either accept or reject the whole. Oracle recommends a setting of Yes to accept the package.

4. Enabling Forgot Your Password Functionality

Profile Option Name “Local Login Mask”

Oracle recommends a setting of 40 for the Local Login Mask profile. This setting displays a "Forgot your password?" link on the Login page. If the user clicks this link, the system loads a page where the user can enter his or her username.

The user then receives an email stating, "Password reset requires approval." The user needs to click one of the choices "Approve" or "Reject" that automatically generate an email response. If the user ignores the notification, the request expires in four hours.

5. Setting Login Attempt Limits

Profile Option Name “Signon Password Failure Limit”

This profile option determines the maximum number of logins a user can attempt before the user's account is disabled. To reinstate the account a system administrator must unlock the account and reset the password. For example, if the value set is 3, it will lock the account if the user enters incorrect password 3 times.

6. Setting Time Limit after Resetting Password

Profile Option Name “Signon Password No Resuse”

This profile will set the minimum number of days that a user must wait after changing password before being allowed to reuse a password. The user can use the new password once and then must wait the number of days set before user can reuse the password.

For example, if the value of this profile is set to 5, a user who changes the password cannot reuse the password until 5 days after they reset.

If the profile value is set to the number 0, then there is no restriction on password reuse.