Complex passwords and Oracle

["Geoffrey S. Nathan" <geoffnathan () WAYNE EDU>]

Apologies for cross-posting.
We at Wayne State are in the process of implementing a strong password
requirement of the usual sort (upper and lower case, numbers, eight
characters etc.) We have just run into something that seems odd, and is
simultaneously a policy and a technical issue. We run Banner, which has
an Oracle component. Oracle’s password rules forbid certain characters
(" / @ &), and requires that any password containing other
non-alphanumerics be enclosed in quote marks--like "th!s".
Although we elected not to require non-alphanumerics, this seems to
actually forbid them, which strikes me as dumbing down any complexity
requirement, and decreasing security. Has anyone else experienced this
issue? Please reply to me off-list, as this may be a 'teaching granny to
suck eggs' kind of question and I don’t want to take up others'
bandwidth with it.

Geoff Nathan
Security Policy Coordinator, C&IT
Wayne State University
geoffnathan () wayne edu