When you create a user account, a default password policy is assigned to that user account. The default password policy for a newly installed database includes these directives:
The password for the user account expires automatically in 180 days.
The user account is locked 7 days after password expiration.
The user account is locked for 1 day after 10 failed login attempts.
The default password policy is assigned to user accounts through a database object called a profile. Each user account is assigned a profile, and the profile has several attributes that describe a password policy. The database comes with a default profile (named DEFAULT), and unless you specify otherwise when you create a user account, the default profile is assigned to the user account.
For better database security, you may want to impose a more strict password policy. For example, you may want passwords to expire every 70 days, and you may want to lock user accounts after three failed login attempts. (A failed login attempt for a user account occurs when a user enters an incorrect password for the account.) You may also want to require that passwords be complex enough to provide reasonable protection against intruders who try to break into the system by guessing passwords. For example, you might specify that passwords must contain at least one number and one punctuation mark.
You change the password policy for every user account in the database by modifying the password-related attributes of the DEFAULT profile.
Note:
It is possible to have different password policies for different user accounts. You accomplish this by creating multiple profiles, setting password-related attributes differently for each profile, and assigning different profiles to different user accounts. This scenario is not addressed in this section.
See Also:
Oracle Database Security Guide for an example of creating a password profile
Oracle Database SQL Language Reference for more information about the SQL CREATE PROFILE statement