Oracle knows when you should change your password
-
I've submitted this to Error'd, but thought the fundamentals deserved an audience here as well.
First, I don't know why this would ever be a thing. What if I discover someone else knows my password?
But the real problem is the page I'm getting this error on.
Yep, I'm trying to log in and being redirected to a forced-reset page. Where it tells me that I can't change my password because Oracle knows best and I don't need to change it yet.
I did wonder if the real error was that the special characters in my password were too special and it was just throwing this up as a default error message, but even when I go to alphanumerics only I get the same message (and numerics are required by the password policy so I can't dial it back any further).
-
Pondering for some time I think i understand the path Oracle took to get here.
You wouldn't want certain accounts to change their passwords Willy nilly, like service accounts, right?
So, why not make it a feature to only allow password changes when needed?
Oh, but we can't apply it on an account basis, it's system level. What do?
Well, cover the intentional cases we intend a password reset for (expiration and admin-forced) and fuck you. Talk to an admin if you need help.
That's what system operators are for, right?
-
ORA_$$$
error: Out of password reset tokens. Please insert a newcyancartridge.
-
@Scarlet_Manuka Do you have a "password must not be the same as the last X passwords" policy? If so, this could be a poorly-implemented attempt to prevent users from "running out the clock" by changing their password X times in quick succession, then back to the old, familiar one.
-
@Mason_Wheeler It had the password policy box there complete with indicators to show whether your suggested password was in compliance - as I recall it did have a "not the same as last 4 passwords" item, but the various passwords I attempted to change to fulfilled all requirements including that one.
I mean, my ultimate plan was indeed to cycle through a few dummy ones and then back to my normal password for that environment, but I didn't get far enough to try.
(In the end I just logged in using the same account our system uses to drop the files there. Worked well enough for what I needed, which was to delete one file from this system that I log in to less often than once a year.)
-
@Tsaukpaetra said in Oracle knows when you should change your password:
Pondering for some time I think i understand the path Oracle took to get here.
You wouldn't want certain accounts to change their passwords Willy nilly, like service accounts, right?
So, why not make it a feature to only allow password changes when needed?It could also be theoretically helpful against account stealing.
-
@boomzilla said in Oracle knows when you should change your password:
@Tsaukpaetra said in Oracle knows when you should change your password:
Pondering for some time I think i understand the path Oracle took to get here.
You wouldn't want certain accounts to change their passwords Willy nilly, like service accounts, right?
So, why not make it a feature to only allow password changes when needed?It could also be theoretically helpful against account stealing.
"Your password has been breached! Therefore we won't allow you to change it, so GLHF while the hacker simply uses your account for however long it takes for an Admin to get off their derriere...."
-
@Tsaukpaetra said in Oracle knows when you should change your password:
@boomzilla said in Oracle knows when you should change your password:
@Tsaukpaetra said in Oracle knows when you should change your password:
Pondering for some time I think i understand the path Oracle took to get here.
You wouldn't want certain accounts to change their passwords Willy nilly, like service accounts, right?
So, why not make it a feature to only allow password changes when needed?It could also be theoretically helpful against account stealing.
"Your password has been breached! Therefore we won't allow you to change it, so GLHF while the hacker simply uses your account for however long it takes for an Admin to get off their derriere...."
You'd have to notify an administrator and they'd set that "administrator says you have to change your password" bit mentioned in the OP. But at least the attacker couldn't change your password and lock you out, etc. Not a great strategy, obviously, but a plausible reason for the .
-
@Tsaukpaetra said in Oracle knows when you should change your password:
however long it takes for an Admin to get off their
derrierekneesFTF
-
@HardwareGeek said in Oracle knows when you should change your password:
@Tsaukpaetra said in Oracle knows when you should change your password:
however long it takes for an Admin to get off their
derrierekneesFTF
When it's so large you can't tell the difference...
-
@Tsaukpaetra said in Oracle knows when you should change your password:
@HardwareGeek said in Oracle knows when you should change your password:
@Tsaukpaetra said in Oracle knows when you should change your password:
however long it takes for an Admin to get off their
derrierekneesFTF
When it's so large you can't tell the difference...
When the admin's derriere is so large you can't tell the difference between derriere and knees, that's beyond morbid obesity.
-
@HardwareGeek said in Oracle knows when you should change your password:
morbid obesity
-
@Applied-Mediocrity I avoided mentioning him(?) because I don't know how big his(?) derriere is.
-
This sounds like a horribly written minimum password age error.
Which, along with password expiration, is a dumb concept. But I digress.
-
@HardwareGeek said in Oracle knows when you should change your password:
@Tsaukpaetra said in Oracle knows when you should change your password:
however long it takes for an Admin to get off their
derrierekneesAdmins don't have a prayer.
-
Speaking of password resets... I just locked some asshole out of his grubhub business account after he used my email for it somehow. I set it to 'it'sminenow'.
-
@Captain There may be a thread about that here . I know I've seen multiple posts about idiots using the wrong email address, but I don't remember what thread it was in.
-
The Popular Gmail-address thread.