Claremont Oracle E-Business Suite Blog

Password Security: Is Yours Strong Enough?

Written by Ben Morris | Feb 3, 2020 3:05:00 PM

There is a hacker attack every 39 seconds 

There is a hacker attack every 39 seconds according to Security Magazine. 81% of Company Data Breaches are due to poor passwords and over 70% of employees re-use passwords at work. The report found a staggering 81% of hacking-related breaches were leveraged either stolen and/or weak passwords. Even though 91% of people know reusing passwords is poor practice, 59% reuse their passwords everywhere – at home and at work.
Source: tracesecurity, Verizon Data Breach Investigations Report

Prevent hackers accessing your Oracle E-Business (EBS) system in 2020 by improving the complexity and strength of your passwords.

Your EBS application holds a wealth of sensitive personal and corporate information, which could cause your organisation both legal and reputational damage if compromised. One way to mitigate that risk is to improve the strength of user passwords.

There is a wealth of information available from security experts such as McAfee, Norton and Kaspersky. They all agree that having complex passwords reduces the risk of unauthorised use of your systems. Stronger, more complex passwords can be achieved by the following:
 
  • Having passwords of at least 8 characters in length
  • Using a mixture of upper and lower case letters, numbers and special characters
  • Avoiding repeating characters
  • Regularly change passwords

Of course, your organisation may have its own password policy which could include all these best practices or exceed them.

Oracle Does All This, Right?

Oracle EBS does a pretty good job in meeting the password best practices above, although with some limitations. All of the below can be set through standard configuration within Oracle EBS.

  • Password Length: You can define the minimum length of passwords. This can be set to be between five and thirty characters in length, with the default value of five characters.
    You can also set the minimum length for different types of users. For example, you could ensure that System Administrators have a longer password length than end-users.
  • Password Case 
You can ensure that all passwords must be entered in the correct case. If a user sets their password to have a mixture of upper and lower case letters, then when they come to log onto EBS then they must enter them in that same case. This is the default configuration for EBS Release 12 onwards.
  •  Password Complexity: You can make your passwords more complicated so that they meet the following:
    • The password does not contain repeating characters.
    • The password contains at least one letter and one number.
    • The password does not contain the username.
    • However, this will not meet best practice as it does not force a user to have a special character or a mixture of upper and lower case letters in their password.
  • Password Reuse: You can prevent users from reusing their password for a specified number of days. For example, you could prevent users being allowed to reuse a previous password for a year or more.
  • Password Expiration: Oracle EBS user accounts can be configured to force the user to change their password on a regular basis. For example, you can enforce your EBS users to change their passwords every 90 days.
  • Password Failure: You can lock EBS user accounts after a specified number of consecutive failed log on attempts. A locked account will need to be unlocked by a system administrator by changing the account’s password.

Can I do more?

While the out-of-the-box Oracle EBS solution is good, it might not meet best practice or your own organisation’s password policies. For example, there is currently no native support for ensuring that special characters or a mixture of upper and lower case letters are required in the password. However, Oracle provides a method to build your own custom password validation which can meet whatever rules your organisation may have. By creating a simple Java Class that holds your password rules, you can ensure that your own custom validation is triggered whenever a user changes their password.


Advantages of Custom Validation

  • You can apply your own organisation's rules to the password validation routine.
  • The functionality supports using custom messages to make the process more user-friendly.
  • Custom validation is supported by Oracle and is an allowed customisation.
  • Implementing custom validation does not require users to immediately change their passwords.

Disadvantages of Custom Validation

  • Requires a custom Java Class to be written to hold your password rules
  • Using custom validation removes the out-of-the-box Oracle password complexity rules, so these will need to be built into your Java Class.

 

Useful Links

How to Setup Password Security? 564125.1

How to Implement Sign on Password Custom Profile Option in EBS 11i / R12 362663.1

Sources:

tracesecurity, Verizon Data Breach Investigations Report

Security Magazine.

Choosing the right Managed Services Provider

If you are looking for an Oracle partner who can help you with your Oracle Managed Services and goes about it the right way and can back up the talk, then contact us. 

If you would like to find out more about the E-Business Suite updates or have a question, you can email us at info@claremont.co.uk or phone us on +44 (0) 1483 549004.