In this post I want to talk about the age of the password, this is the time that a user is using the same password
For security policy the password should be changed from time to time (normally a period of three months is fine, for standard environments), although systems such as 2FA there is a change of one of the vectors each time a connection is made.
The risk of having a password that never changes is;
- It is more vulnerable to break by brute force in terms of time factor, we can use months or years to break if we know that they do not change.
- If it is committed, it may take time to realize, depending on the surveillance systems we have deployed or as a result of a forensic analysis.
For all the above it is very important to change the password in a regular way. OK, there can always be users that can not change for some specific reason (everything has a justification) in these cases you have to deploy some kind of control;
- Audit
- Logon trigger
- Etc.
To see the age of the pass we can use this simple select;
SELECT NAME, PTIME FROM SYS.USER$ /
To see those that have not changed for more than three months;
SELECT NAME, PTIME FROM SYS.USER$ WHERE TRUNC(PTIME) <= TRUNC(SYSDATE)-90 /
HTH – Antonio NAVARRO