Oracle Tips by Burleson

Chapter 4 General Oracle Security

profile should indeed be the same for all analysts. However, some of the resource limits are different for different types of claim analysts, and therefore the profiles are different.

Simply by creating a profile and attaching it to a user, or a set of users, you achieved the first requirement in secure password management, a very important HIPAA requirement. For the sake of other types of security, you shouldn't stop here, you should categorize all the users and create profiles for each group. Nevertheless, for HIPAA this should be enough.

Achieve immediate compliance of the law by creating and documenting the password features of the user profiles.

Password Management Function

The HIPAA requirements, as well as good security management practices, demand that the hacker be discouraged as much as possible from guessing the password. This prevents the kind of attacks called brute force. In this approach, the hacker employs a dictionary of words which can be potentially used in the password, makes up combinations of them, creates users with that password and then matches the hashed version of the password with the target user's password, also hashed.

To discourage this, the password should not be too easy to guess. Some of the most commonly used passwords are words like "secret", "password", "topsecret", even "abc123". These are too obvious and should never be allowed in a password. Similar examples include the username itself; you would never want the user JUDY to have a password JUDY, would you?