FAILED_LOGIN_ATTEMPTS part 2

Ref: part 1
I reported this lack of documentation on http://forums.oracle.com/forums/thread.jspa?threadID=330359

Here is my test case (take care, it will create a new db!) :

SQL> startup force quiet nomount;
ORACLE instance started.
SQL> create database controlfile reuse extent management
local default tablespace users default temporary tablespace temp
undo tablespace undotbs1;

Database created.
SQL> @?/rdbms/admin/catalog
SQL> @?/rdbms/admin/catproc
SQL> col username for a10
SQL> col PROFILE for a7
SQL> col LIMIT for a12
SQL> select username, profile, limit from dba_users join 
dba_profiles using (profile) 
where resource_name='FAILED_LOGIN_ATTEMPTS';
USERNAME   PROFILE LIMIT 
---------- ------- ------------ 
SYSTEM     DEFAULT 10
SYS        DEFAULT 10
TSMSYS     DEFAULT 10
DIP        DEFAULT 10
DBSNMP     DEFAULT 10
OUTLN      DEFAULT 10

12 thoughts on “FAILED_LOGIN_ATTEMPTS part 2”

  1. Does this mean that the policy violation recommendation for DBSNMP in 10.2: “Oracle recommends changing the parameter FAILED_LOGIN_ATTEMPTS in user profiles to no more than 10″ should be ignored because it is already the case?

    Ren

  2. For Oracle10gAS, would you recommend changing this parameter simply to avoid the alert from Grid Control? As you mentioned, the implication is that the account could be locked, and the whole system will be halted. One example is user ‘ORASSO’ …

  3. > the implication is that the account
    > could be locked, and the whole
    > system will be halted. One example
    > is user ‘ORASSO’ …
    well, this is all about security. on the one hand you protect your data, on the other hand a process/user trying to log in with a wrong password is reducing the availability.

    up to you…

  4. Laurent,

    Do you know if the failed attempts are 10 in a row or just 10 cumulatively?

    Thanks.

  5. 10 in a row

    SQL> grant create session to x identified by x;

    Grant succeeded.

    SQL> connect x/x
    Connected.
    SQL> connect x/y
    ERROR:
    ORA-01017: invalid username/password; logon denied

    Warning: You are no longer connected to ORACLE.
    SQL> connect x/y
    ERROR:
    ORA-01017: invalid username/password; logon denied

    SQL> connect x/y
    ERROR:
    ORA-01017: invalid username/password; logon denied

    SQL> connect x/y
    ERROR:
    ORA-01017: invalid username/password; logon denied

    SQL> connect x/y
    ERROR:
    ORA-01017: invalid username/password; logon denied

    SQL> connect x/y
    ERROR:
    ORA-01017: invalid username/password; logon denied

    SQL> connect x/y
    ERROR:
    ORA-01017: invalid username/password; logon denied

    SQL> connect x/y
    ERROR:
    ORA-01017: invalid username/password; logon denied

    SQL> connect x/x
    Connected.
    SQL> connect x/y
    ERROR:
    ORA-01017: invalid username/password; logon denied

    Warning: You are no longer connected to ORACLE.
    SQL> connect x/y
    ERROR:
    ORA-01017: invalid username/password; logon denied

    SQL> connect x/y
    ERROR:
    ORA-01017: invalid username/password; logon denied

    SQL> connect x/y
    ERROR:
    ORA-01017: invalid username/password; logon denied

    SQL> connect x/y
    ERROR:
    ORA-01017: invalid username/password; logon denied

    SQL> connect x/y
    ERROR:
    ORA-01017: invalid username/password; logon denied

    SQL> connect x/y
    ERROR:
    ORA-01017: invalid username/password; logon denied

    SQL> connect x/x
    Connected.
    SQL> connect x/y
    ERROR:
    ORA-01017: invalid username/password; logon denied

    Warning: You are no longer connected to ORACLE.
    SQL> connect x/y
    ERROR:
    ORA-01017: invalid username/password; logon denied

    SQL> connect x/y
    ERROR:
    ORA-01017: invalid username/password; logon denied

    SQL> connect x/y
    ERROR:
    ORA-01017: invalid username/password; logon denied

    SQL> connect x/y
    ERROR:
    ORA-01017: invalid username/password; logon denied

    SQL> connect x/y
    ERROR:
    ORA-01017: invalid username/password; logon denied

    SQL> connect x/y
    ERROR:
    ORA-01017: invalid username/password; logon denied

    SQL> connect x/y
    ERROR:
    ORA-01017: invalid username/password; logon denied

    SQL> connect x/y
    ERROR:
    ORA-01017: invalid username/password; logon denied

    SQL> connect x/y
    ERROR:
    ORA-01017: invalid username/password; logon denied

    SQL> connect x/x
    ERROR:
    ORA-28000: the account is locked

  6. 10 in a row means, is it with in a day, or over a span of lifeltime.
    My question is, If a user account has 10 failed login attempts say in a span of 1 year, does the account gets locked? Or Does it only gets locked if the 10 failed login happens on the same day, or some short period of time(configurable).

  7. if you have 10 failed login attempts and 0 successful login attempts in one year or one century, you account will be locked.

    If you have 9 failed, then 1 succeeded, then 9 failed, then 1 succeeded, no, it will not crash;

  8. Laurent,
    Thanks for the details. Just to make clear…
    Did you mean, Once I have 9 failed attempts in a row, and then i have a successful attempt, the counter(FAILED_LOGIN_ATTEMPTS) gets reset back to 0?

Leave a Reply

Your email address will not be published.


*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>