Part of your company’s security “audit” and review is checking your Oracle database built-in accounts passwords, if the accounts are using “default passwords”….this will be considered a finding.
So, how to find Oracle built-in accounts with “default passwords” ?
SQL> select * FROM DBA_USERS_WITH_DEFPWD ;
For SYS account, please refer to my previous blog post: https://databasesecurityninja.wordpress.com/2019/04/01/changing-sys-password-in-oracle-12cr2-and-18c/
As you know SYS account is OS authenticated account through oracle database software owner so technically changing the password is just for updating the password hash within the database.
Oracle list of built-in accounts can be listed from dba_users view through ORACLE_MAINTAINED column: https://geodatamaster.com/2018/03/22/oracle_maintained-column-in-oracle-12c-dictionary/
In the database I am using, the following are the list of accounts that have DEFAULT passwords:
For example, ORDDATA account is expired and locked as shown below:
select name, astatus from sys.user$ where name=’ORDDATA’;
The astatus value of “25” indicates that the account is locked,expired, and have a “default password”
I have reset the password for ORDDATA account.
If you re-execute the query:
SQL> select * FROM DBA_USERS_WITH_DEFPWD ;
ORDDATA account will not be displayed anymore !
Note: if DBA_USERS_WITH_DEFPWD lists “application accounts” then this could possibly be a “bug”.