You should evaluate the restrictions that can be set for passwords. The restrictions you should consider are shown in the following table.

Table 25-3 Restrictions that can be set for passwords

Restriction	Explanation
Specifiable minimum in bytes	Specify in bytes the minimum number of characters that can be used for a password. The specifiable range of the minimum number of characters for a password is between 6 and 15.
Prohibition on use of the authorization identifier	Specify whether inclusion of the person's authorization identifier in the password character string is to be prohibited. If prohibition is specified, the following passwords would be prohibited. Examples of prohibited passwords when the authorization identifier is K001: K001, abK001, K00165, GTK001KL
Prohibition on use of only one type of characters	Specify whether use of only one type of characters for a password is to be prohibited. If prohibition is specified, the following passwords would be prohibited. Examples of prohibited passwords: HUDGTX, jkfgytud, D@MK#B\

You should check in advance for existing users whose existing password will not conform to the proposed restrictions. Because the nonconforming users will be placed in password-invalid account lock state, they will no longer be permitted to connect to HiRDB. Before establishing restrictions, you should identify the users whose existing password will be in violation of the restrictions. For details about the identification procedure, see 25.5 Checking for users who will be placed in password-invalid account lock state.

Reference note

Setting up password character string restrictions might cause some users to be placed in password-invalid account lock state. You should notify all users in advance about the imminent establishment of password restrictions, and inform them that they might have to change their password before the implementation date. Once the implementation date arrives, check for users who are in violation of the restrictions and contact them.

Use a GRANT statement to change the password of a user whose existing password does not conform to the password restrictions. Examples follow.

Example 1

Change the password of USER01 to f51HD7tc:

 
GRANT CONNECT TO USER01 IDENTIFIED BY "f51HD7tc"
 

Reference note

Each user can change his or her own password. Passwords can also be changed by a DBA privilege holder.

Example 2

Change the password of DBA privilege holder ADMIN01 to gd4A@sPL:

 
GRANT DBA TO ADMIN01 IDENTIFIED BY "gd4A@sPL"

Example 3

Change the auditor's password to a0h7Fc3K:

 
GRANT AUDIT IDENTIFIED BY "a0h7Fc3K"
 

Use CREATE CONNECTION SECURITY to set the desired password character string restrictions.

Note

If the password of a DBA privilege holder or of the auditor does not conform to the restrictions (even if that is the only person whose password does not conform), execution of CREATE CONNECTION SECURITY will not be successful.

An example of specifying CREATE CONNECTION SECURITY follows.

Example

The following password character string restrictions are to be set:

• The minimum number of bytes for a password is to be set to 8.
• Inclusion of the authorization identifier in the password is to be prohibited.
• Use of only one type of characters in a password is to be prohibited.

 
CREATE CONNECTION SECURITY
    FOR PASSWORD
      MIN LENGTH 8                  ...1
      USER IDENTIFIER RESTRICT      ...2
      SIMILAR RESTRICT              ...3
 

Explanation

1. Sets that each password must be at least 8 bytes in length.
2. Prohibits inclusion of the user's authorization identifier in his or her password. To prohibit, specify RESTRICT; to not prohibit, specify UNRESTRICT.
3. Prohibits use of only one type of characters in a password. To prohibit, specify RESTRICT; to not prohibit, specify UNRESTRICT.

Check for users in password-invalid account lock state. For details about how to perform this check, see 25.4.1(1) Check for users in password-invalid account lock state.