What about from web?
Robert Boyle, May 14, 2002 - 6:59 am UTC
Tom,
Good answer and helpful. Do you have any idea how to do this from a web app developed in Coldfusion?
We tried the "alter user blah identified by blah" but we can't execute the cfquery as the password has expired. We can catch the -28001 code but as we can't execute the cfquery we don't know what to do with it :o(
I notice the Pro C uses ALTER AUTHORIZATION - is there something similar we could use on expired passwords?
Thanks in advance.
Robert
Is there an answer to Robert's question?
Jay Bostock, September 26, 2002 - 6:58 am UTC
I was just wondering if there is an answer to Robert's question above - I am writing a web-app using JDBC to connect to an oracle database and need to handle this error (ora-28001). How could I do this?
Thanks
Jay
September 26, 2002 - 8:25 am UTC
Well, actually -- you don't want an answer to his question as that would be very specific to that very specific product cold fusion (about which I know squat).
Here is a support note (also avaialable on metalink by searching for
ora-28001 jdbc
surprisingly!) that addresses YOUR question:
Article-ID: <Note:124970.1>
Circulation: PUBLISHED (EXTERNAL)
Folder: languages.Java.JDBC
Topic: Sample Code Articles
Title: Example: How to Change an Expired Password in JDBC?
Document-Type: SCRIPT
Impact: LOW
Skill-Level: NOVICE
Server-Version: 08.01.07
Updated-Date: 04-SEP-2002 07:12:09
References:
Attachments: NONE
Content-Type: TEXT/PLAIN
Products: 972/OCI;
Platforms: GENERIC;
Overview
--------
Starting with Oracle8i, the database provides a number of password management
capabilities including the ability to expire passwords with or without some
grace period during which the user has an option to change the password.
If the password has expired with no grace period, the attempt to connect to
the database returns an ORA-28001 error. In this case, the user must change
the password before continuing as the current connection is not valid.
If there is a grace period, the database returns an ORA-28002 warning and the
user has the option to change the password if desired, but can continue to use
the existing connection if not (ORA-28002 is a warning only).
The capability to programmatically change the password has been available in
OCI8 since 8.1.5, but was only recently exposed via JDBC, starting in 8.1.7.
Currently, this capability is only exposed in the 8.1.7 JDBC OCI driver. The
JDBC Thin driver does not currently support any password management features.
Program Notes
-------------
This sample has been tested using the following configuration:
Sun JDK 1.2 for Solaris
8.1.7 JDBC OCI driver for Solaris
8.1.7 Enterprise Edition Server for Solaris
The 8.1.7 JDBC OCI driver is mandatory, but the use of JDK 1.2 should not be
required. Also, this should work against any 8.1.X version of the database.
To run this sample, do the following:
a.) Set up your environment for Oracle (i.e. ORACLE_HOME, etc.)
b.) Set up your CLASSPATH to include the Oracle JDBC drivers
setenv CLASSPATH .:$ORACLE_HOME/jdbc/lib/classes12.zip (C shell)
OR
export CLASSPATH=.:$ORACLE_HOME/jdbc/lib/classes12.zip (Korn/Bourne shell)
NOTE: If you are using JDK 1.1, substitute the 8.1.7 classes111.zip file.
c.) Compile the java source code to create a Class file
javac Employee.java
d.) Run the program
java Employee -- defaults to local connection as scott/tiger
OR
java Employee url user pass -- to specify different connect parameters
url contains the complete JDBC connect url including jdbc:oracle:oci8:@
Caution
-------
The sample program in this article is provided for educational purposes only
and is NOT supported by Oracle Support Services. It has been tested
internally, however, and works as documented. We do not guarantee that it
will work for you, so be sure to test it in your environment before relying
on it.
Program
-------
- - - - - - - - - - - - - - - - Code begins here - - - - - - - - - - - - - - - -
/*
* This sample is a modified version of the Employee.java
* sample that ships with 8.1.X. It demonstrates how to use
* the new Password Management/Password Aging features supported
* in JDBC OCI starting with version 8.1.7.
*
* NOTE: Password management isn't available in the Thin driver!
*
* If invoked with no args, it uses the scott/tiger user and
* the default connection. If you wish to use a TNS service
* name, different user and/or password, you can invoke as:
*
* java Employee url user password
*/
import java.io.*;
import java.sql.*;
import java.util.*;
// The Sample Java application
class Employee
{
public static void main (String args []) throws SQLException
{
// Load the Oracle JDBC driver
DriverManager.registerDriver(new oracle.jdbc.driver.OracleDriver());
// Default connection (but could be modified to specify service name)
// NOTE: Must use oci8 here ... not supported by the thin driver
String url = "jdbc:oracle:oci8:@";
String usr = "scott";
String pwd = "tiger";
// Use singleton array so we can pass the connection to
// another function as an OUT parameter
Connection conn[] = new Connection[1];
// Use the command line args if provided
if ( args.length >= 1 ) url = args[0];
if ( args.length >= 2 ) usr = args[1];
if ( args.length == 3 ) pwd = args[2];
// Create a properties object and initialize it
Properties props = new Properties();
props.put("user",usr);
props.put("password",pwd);
// Attempt the initial connection to the database
try {
System.out.println("Attempting initial connection to " + url +
" as " + usr + "/" + pwd);
conn[0] = DriverManager.getConnection (url, props);
// If the password has expired, but there is a grace
// period, you will receive a warning, but no error.
SQLWarning sqlw = conn[0].getWarnings();
if ( sqlw != null && sqlw.getErrorCode() == 28002 )
{
// For interacting with user to get new password
String answer = null;
DataInputStream dis = new DataInputStream(System.in);
System.out.println("Your password will expire soon!");
System.out.println("Would you like to change it now (y or n)?");
try {
answer = dis.readLine();
}
catch ( IOException ioe ) {
ioe.printStackTrace();
}
// If user does not want to change the password, just
// continue. The original connection is ok to use.
if ( answer.equals("y") || answer.equals("Y") )
{
// Otherwise, close the original connection
// and open a new one, changing the password.
// Technically, it is not necessary to close
// the other connection, but this will waste
// resources by keeping the session alive if
// you have no intention of using it.
conn[0].close();
retryConnection(conn, url, props);
}
}
}
catch ( SQLException sqle ) {
// If the password has expired and there is no grace
// period, then you must change the password or exit.
if ( sqle.getErrorCode() == 28001 ) {
// For interacting with user to get new password
String answer = null;
DataInputStream dis = new DataInputStream(System.in);
System.out.println("Your password has expired!");
System.out.println("Would you like to change it now (y or n)?");
try {
answer = dis.readLine();
}
catch ( IOException ioe ) {
ioe.printStackTrace();
}
// If user wants to change password, do it.
// Otherwise exit since connection is unusable.
if ( answer.equals("y") || answer.equals("Y") )
{
retryConnection(conn, url, props);
}
else
{
System.out.println("Exiting ... ");
System.exit(0);
}
}
}
// Create a Statement
Statement stmt = conn[0].createStatement ();
// Select the ENAME column from the EMP table
ResultSet rset = stmt.executeQuery ("select ENAME from EMP");
// Iterate through the result and print the employee names
while (rset.next ())
System.out.println (rset.getString (1));
// Close the RseultSet
rset.close();
// Close the Statement
stmt.close();
// Close the connection
conn[0].close();
}
private static void retryConnection(Connection conn[],
String url,
Properties props) throws SQLException {
Connection newconn = null;
String newpass = null, newpass2 = null;
DataInputStream dis = new DataInputStream(System.in);
try {
System.out.println("New Password: ");
newpass = dis.readLine();
System.out.println("Confirm Password: ");
newpass2 = dis.readLine();
}
catch ( IOException ioe ) {
}
if ( ! newpass.equals(newpass2) ) {
System.out.println("Passwords don't match!");
System.out.println("Exiting ... ");
System.exit(1);
}
props.put("OCINewPassword",newpass);
System.out.println("Attempting to change password ... ");
newconn = DriverManager.getConnection(url, props);
System.out.println("Connected");
conn[0] = newconn;
}
}
- - - - - - - - - - - - - - - - Code ends here - - - - - - - - - - - - - - - -
Sample Output
-------------
If the password is current and no ORA-28001 or ORA-28002 error occurs.
Attempting initial connection to jdbc:oracle:oci8:@ as scott/tiger
smith
allen
ward
jones
martin
blake
clark
scott
king
turner
adams
james
ford
miller
If the password is expired and either a ORA-28001 or ORA-28002 error occurs.
Attempting initial connection to jdbc:oracle:oci8:@ as scott/tiger
Your password has expired!
Would you like to change it now (y or n)?
y
New Password:
tiger2
Confirm Password:
tiger2
Attempting to change password ...
Connected
smith
allen
ward
jones
martin
blake
clark
scott
king
turner
adams
james
ford
miller
The one notable difference is that, for ORA-28002, you should see the message:
Your password will expire soon!
Additional Search Words
-----------------------
expiration
A reader, October 31, 2003 - 10:29 am UTC
November 01, 2003 - 11:53 am UTC
hmm, very useful feedback. thanks?
Forgot system password
RD, September 01, 2004 - 7:12 pm UTC
Hi Tom,
I have just taken over a test database for which no one knows the system password. The sys one is still the default one. How can I create a system password?
When I try :-
SQL> alter user system password manager;
alter user system password manager
*
ERROR at line 1:
ORA-02000: missing EXPIRE keyword
then
SQL> alter user system password expire;
User altered.
SQL> alter user system password manager;
alter user system password manager
*
ERROR at line 1:
ORA-02000: missing EXPIRE keyword
How do I get around this ?
Thanks as always in advance,
Regards,
RD.
September 01, 2004 - 8:59 pm UTC
alter user system IDENTIFIED BY manager;
complex password
ashraf, September 02, 2004 - 2:52 am UTC
i need to force user to use complex password not using thier userid for example user ashraf can not use password ashraffor security recommendation how can i do that
September 02, 2004 - 8:09 am UTC
PSP Web app- Password management
A reader, November 05, 2004 - 10:42 am UTC
TOM,
In our situation DAD has no password set.
Currently user's passwords are never changed.
The requirement is expire the passwords after certain period and make users RESET their passwords upon expiry.
Now when password expires how the user gets the oppurtunity to interactively reset the password?
TIA
November 05, 2004 - 4:37 pm UTC
There are grace periods and there are "expired passwords"
your application could (on its first screen) query the database to see if the user is in the grace period.
If so, tell them and ask them to "change their password"
If their password is expired -- that is a "help desk reset" isn't it? But if you wanted to, I suppose if you had a mapping of username to password -- you could set up a screen that was a "reset password for username:" screen that anyone could access, it would reset the password for the user (generating a random one) and email it to them (since we cannot authenticate them -- they are "expired", they cannot log in)
PSP Web app- Password management
RD, November 07, 2004 - 10:10 am UTC
Thanks TOM.
Pls correct me if my understanding was wrong.
1) "mapping of username to password" = "a table with userid and password".
2) "mapping of username to password" is required to ensure that user resets only his password !! by the old password we know he is the right user. Did i get it right?
3) What are the best ways to keep a password in a table ?
4) When i provide a screen "reset password for username:", it can generate a password of user's choice no? why it will be Randomly generated !!
TIA
November 07, 2004 - 2:50 pm UTC
I don't think there is a good way to keep a password in a table.
1) but yes, a mapping of username to pasword would imply that.
2) yes
3) i'm not a fan of it.
4) because you are not going to give that password to the user, you are going to EMAIL the account that is the users email account.
Say I goto "E*Trade" (stock trading place).
Say I said to "E*Trade" -- I am 'tom', please reset my password to 'foobar'.
That would be bad. So, I can goto E*Trade and say "i am 'tom', i need a new password". E*Trade will email my email account a new password. That way, if the guy that went to etrade wasn't really ME -- they didn't get my password.
PSP Web app- Password management
RD, November 08, 2004 - 3:50 am UTC
Thanks again for your inputs TOM.
But still i am not clear with the last point.
If i want to reset my password i provide my userid and old(expired) password. Only i know my old password and this can be confirmed by "mapping of username to password".
If user himself resetting the password he is aware of his new password no ?
TIA
November 08, 2004 - 10:17 am UTC
what is the point of expiring the password then?
there is a grace period (you can fix it then)
once it expires, it is expired -- must be "reset"
that is my "thought process" here -- if it is expired, it is expired -- gone, not to be used.
Password Policy
Randy, November 08, 2004 - 12:47 pm UTC
Tom,
Is there a way to modify the password verify_function to check case sensitive passwords? I am faced with implementing a password policy that uses uppercase, lowercase, and special characters.
Thanks,
Randy
November 08, 2004 - 5:24 pm UTC
No, because the passwords in Oracle are not case sensitive.
Trying to use "identified externally" with JDBC thin client
Sanjay Dholakiya, December 01, 2004 - 4:59 pm UTC
Would you or some experienced person, please comment on how to use operating system authentication with JDBC thin clients. when I try to use os authentication with JDBC client, it gives error "Null user or password not supported in THIN driver"
Thanks
Sanjay
December 01, 2004 - 7:54 pm UTC
documenation says.....
The Thin driver does not support OS authentication in making the connection, and therefore does not support special logins.
the thin driver does not support certain features with regards networking and this is one of them.
reader
A reader, December 05, 2004 - 1:08 pm UTC
How to query the database for the grace period
before the password expires, so that we can
alert the user or most importantly the application
before it expires
December 05, 2004 - 7:03 pm UTC
see dba_users, your dba can create "yet another view" on top of this to expose just the information deemed necessary for your application.
password change while accessing db link
sam, December 16, 2004 - 3:24 pm UTC
Tom,
To see if the dblink is alive we select like follows
select dummy from a.b@link
but if the schema 'b' is set to password expired with grace period the link comes back with error ora-28002.
Is there any way to get away from it??
Wrap that error somehow ??
Essentially what I want to do is just check if DB link is good or not. Is there any other way ??
December 16, 2004 - 3:53 pm UTC
You can contact support and reference bug 3093904. It is not reproducing in 10g (that was the closure on that one) but does reproduce in 9ir2.
Un-expire passwords...
Craig, August 22, 2005 - 11:04 am UTC
Tom,
Our users and helpdesk have handed us a new requirement to un-expire passwords once an account has been expired by their profile. Basically, they want to reuse the old password they had but can't do it easily because of the password restrictions imposed on their ID's by our profile. The helpdesk has requested and been granted access to SYS to modify the sys.user$ table. I've voiced my opinion about modifying ANY data dictionary table and I'm working on an alternative to modifying SYS tables. My solution is to capture the old password of the expired account, alter the user profile to a less restrictive one, reset the password using the old password, and return the original profile to the user. Is there anything easier then this?
Thanks!
August 23, 2005 - 4:06 am UTC
OH MY GOSH.
If your helpdesk updates sys.user$, you are dead in the water. You have to restart the database at the very least and be willing to have the reciever go somewhat dead when you call support.
You CANNOT UPDATE THAT TABLE, period.
This is not anything I'll even debate. That is the silliest idea I've heard. You cannot DO THIS.
If you want to un-expire passwords, well, hey -- then DON'T EXPIRE THEM IN THE FIRST PLACE???!!??! What are they thinking? I don't get it. I know you didn't do this - but these people have to be stopped, stopped dead in their tracks.
What is the point of implementing security here at all????????
This is just not smart.
preaching to the choir...
Craig, August 23, 2005 - 10:18 am UTC
Tom,
You pretty much nailed every question I asked when I heard about it. I scripted an alternative for them that does not involve touching sys.user$ dictionary table and am encouraging changing profiles to avoid this problem altogether. I just needed an expert to voice their opinion.
Could you possibly expand and clarify the first part of your response...
<quote>
...If your helpdesk updates sys.user$, you are dead in the water. You have to restart the database at the very least and be willing to have the reciever go somewhat dead when you call support...
</quote>
Thanks!
August 24, 2005 - 4:26 am UTC
parts of sys.user$ is cached in the dictionary cache in the SGA, unless you shutdown abort and startup afterwards, the cache in the SGA is out of sync with the table and very strange things can happen.
but bottom line, they CANNOT DO THAT, they cannot update sys.user$
Irony
Guest, August 24, 2005 - 5:10 am UTC
huh.., The irony of this. Almost Five years back this site was created for exactly this question. five years down the line and we have the same question...., Time for a revamp of asktom?
"The helpdesk has requested and been granted access to SYS to modify the sys.user$ table." -- Hmm..who would have "granted access" to the sys tables ?
August 24, 2005 - 10:56 am UTC
It is ironic isn't it, it keeps coming up over and over and over again.
updating the data dictionary, among the dumbest things you can do.
Password Policy
jcpj, January 13, 2006 - 8:55 am UTC
Which could be a good password policy for SYS and SYSTEM user?, change password every 60 days?, grace period?, number of attempts? Can you give me some hints on this?
thanks
January 13, 2006 - 11:17 am UTC
lock the accounts.
you shouldn't be using them - unlock them when you want to upgrade/absolutely need them.
your dba's should definitely not be using them day to day.
RP, March 23, 2006 - 6:29 pm UTC
Hi Tom,
i am won over by your argument to use Oracle's features where ever you can to stop reinventing the wheel.
However, all it takes is one small requirement that can't be met for people to go back to their inferior hand crafted solutions.
The issue i am referring is to the classic 'app managed accounts' and access to the db via a super privileged account.
The only thing stopping me from using proper Oracle accounts in my apps is that my bank has stipulated case-sensitive passwords which Oracle does not support. Is there no workaround?
Thanks
RP
JDBC connection: Protocol violation [17401]
Laxman Kondal, May 02, 2006 - 10:00 am UTC
Hi Tom,
We are using Oracle10gR2 and testing a profile which limits password_grace_time
sys@WNGDRP> alter profile strong_pwd2 limit password_grace_time 3;
Profile altered.
sys@WNGDRP>
--------------------------------------------
Now when I logon as scott2/tiger it works fine:
--------------------------------------------
C:\>sqlplus scott2/tiger@wngdrp.eei1.com
SQL*Plus: Release 10.1.0.4.2 - Production on Tue May 2 09:40:59 2006
Copyright (c) 1982, 2005, Oracle. All rights reserved.
ERROR:
ORA-28002: the password will expire within 2 days
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the Partitioning, OLAP and Data Mining options
scott2@WNGDRP>
--------------------------------------------
But application gets this error and never logged on:
--------------------------------------------
05/02/2006 07:42:02 [DBUG] User.AuthenticateUser():323 Begin
05/02/2006 07:42:51 [DBUG] JdbcConnectionPoolDriver.connect() connect(jdbc:oracle:thin:@172.16.100.45:1521:wngdrp, {user=scott2, password=tiger, dll=ocijdbc9, protocol=thin})
05/02/2006 07:47:42 [EROR] UserModel.doLogin():277 java.sql.SQLException: Protocol violation
java.sql.SQLException: Protocol violation
Â…
Â…
at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:577)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:683)
at java.lang.Thread.run(Thread.java:534)
05/02/2006 07:47:42 [DBUG] ActionHelper.handleException():285 Protocol violation [17401]
05/02/2006 07:47:42 [DBUG] ActionHelper.handleRootCause():309 java.sql.SQLException: Protocol violation
05/02/2006 07:47:42 [DBUG] ActionDispatcher.execute():188 Could not find ActionForward - raising exception
--------------------------------------
And for all other login where password_grace_time not yet started it works fine.
Where is the problem in this case - JDBC or some where else and how do I correct this please?
Where can I find Protocol violation [17401] description please?
Thanks and regards.
May 02, 2006 - 3:32 pm UTC
I'll refer you to support for this one - assuming you are using the current jdbc drivers first (that'll be their first question in all likelyhood)
JDBC connection: Protocol violation [17401]
Laxman Kondal, May 02, 2006 - 4:19 pm UTC
Hi Tom,
Thanks for reply and we will do as you suggested.
Regards
Force uppercase passwords
Sanji, July 13, 2006 - 11:21 am UTC
Tom
Our application uses Transparent Gateway for Sybase.
Oracle 10g Rel. 1, HP-UX 11i.
Issue here is that user accounts get locked in Sybase because of password policy of locking account after couple of unsuccessful attempts.
Sybase (in this environment) accepts password in UPPERCASE, and users quite frequently enter passwords in lower case from SQL* Plus, causing account locking on a daily basis.
Is there a routine that can check this from SQL*Plus ?
Thanks
Sanji
July 13, 2006 - 1:38 pm UTC
check "what"?
what would you like to do?
Password in UPPERCASE
Sanji, July 13, 2006 - 3:28 pm UTC
Sorry for missing on that..
We want to ensure that the passwords are provided in UPPERCASE. The users generally do not realize that the passwords are in lower case, causing locking in SYBASE.
Thanks
Sanji
July 13, 2006 - 5:21 pm UTC
not using the standard "connect" syntax no.
you cannot change the way the connect command works
You would/could provide a script - connect.sql - and train them to use that to connect instead of the connect command
but then - you might as well train them that the password is case sensitive in sybase?
Case-sensitive passwords
Jack Mulhollan, October 20, 2006 - 7:26 pm UTC
Above, RP from London UK said: "The only thing stopping me from using proper Oracle accounts in my apps is that my bank has stipulated case-sensitive passwords which Oracle does not support. Is there no workaround?"
I bet that is a common stipulation. However, unlike many stipulations imposed on developers, there isn't really any good argument against it. Personally, I'm not going to debate management (or a customer) on the point!
Oracle Note 340240.1 says that 10g Enterprise User Security (EUS) supports case-sensitive passwords, and hints that a future release of the Oracle database will support case-sensitive passwords. If I am not mistaken EUS is a feature of the Oracle Advanced Security option, which also supports other strong alternatives for authentication.
This creates a common dilemma:
1. Re-invent the wheel (requires time)
OR 2. Buy and learn new software (requires time and money)
Experience tells me that I should reserve option 2 for when I really need it. Chances are, a bank really needs it, but still I wonder, is there an easy workaround that would suffice?
The idea that popped into my mind is proxy authentication together with home-grown case-sensitive application authentication, which could be implemented in Oracle. For example, the application connects to Oracle, checks the user's application password (including case) against a dbms_crypto hash digest of (username||'/'||password||salt), then connects the user to a "proper Oracle account".
How would you assess the safety of this approach? If you find it tolerable, what details would you worry about to make it as secure as possible? Thanks.
- Jack
October 21, 2006 - 11:02 am UTC
that approach is sound (I've done similar things myself in the past)
Isabelle, January 26, 2007 - 4:26 pm UTC
Hi Tom,
After the user account password expired, dose the database links connect to this account become invalid? Is there anyway to avoid recreate those database links?
Thanks.
What about a DAD
Stacey, December 29, 2011 - 9:40 am UTC
How can I configure a DAD to display a message that a user's password has been expired instead of the login box just keeps re-appearing?
Another related question, If I use a constant connection ( with a defined username/password) to a DAD, that displays a login page, which serves to check the user's status, how can I change connection to the user loggin on?
In other words, can I dynamically pass credentials as parameters to a DAD?
Thanks,
December 29, 2011 - 11:53 am UTC
I don't think that you can - it is sort of a chicken and egg problem. In order to get any code to run, you have to be logged in, but you cannot log in as long as your password is expired.
Another related question, If I use a constant connection ( with a defined
username/password) to a DAD, that displays a login page, which serves to check
the user's status, how can I change connection to the user loggin on?
In other words, can I dynamically pass credentials as parameters to a DAD?No, not really - but sort of. If you were willing to make the login sort of a two step - you could put up a screen to input a username - do your validation - then redirect them to your current URL with their username already in the URL. The challenge box should (this will be browser dependent) appear with their username in there - and only need a password now
http://pixelpusher.com/viewsource/userpass.shtml you could pass the username and password in the URL - but that wouldn't be a good idea for obvious reasons.
Another Approach
Stacey, January 04, 2012 - 9:34 am UTC
When confuguring the DAD, there are three options for Error Style: Apache Style, modplsql Style and Debug Style.
Each style produces an error message. If the password is expired, can I edit any of these error pages to direct them to a (DAD) url with a hard-coded login credntials that will present the user to a page that will allow them to change their password?
If so, which is the best error style to choose and where do I edit the message to include the hyperlink?
Thanks
January 04, 2012 - 9:39 am UTC
I'll suggest you use the apex discussion forum on otn.oracle.com. That group owns the mod_plsql module and would be best positioned to answer this particular type of question.
passwords
sam, August 14, 2013 - 10:35 pm UTC
Tom:
In Oracle 11g the application account DB paswords expire every 6 months.
I found out the application stops working after a password expires.
I want to set passwords so they do not expire in production.
Would you change the default profile or create a new profile and change those accounts to use that profile.
If I changed the default profile all other oracle accounts will be similar. If i created a new profile, then I assume i would want to copy whatever is in the DEFAULT profile to it too and just change the password_expire line.
please advise what is the best option?
August 15, 2013 - 10:56 am UTC
Sam
can you guess what my answer will be?
Only you - you and only you - know which is the best option for your place of work. What are your rules, what are your security policies, what do you want to do?
it is totally up to you.
password
A reader, August 15, 2013 - 8:59 pm UTC
Tom:
I want to change it but would you change default or create new profile? I wanted to create new profile but then don't I have to copy everything in default too.
Good thing they did not enforce the password to be 16 characters with special symbols, etc. etc.. so everyone would be writing it on a piece of paper stamped on his desk.
dc03
diegoluis, August 23, 2013 - 7:54 pm UTC
si
Password Management
Martins Adegoke, August 24, 2013 - 11:44 pm UTC
To support Oracle 8, 8i and 9i at enterprises that still rely on these previous Oracle DBMS releases, i often love my Oracle supplied books during private study at home. Now, all my Oracle, Java, UNIX, LINUX etc. books are missing due to an ugly development,searching Oracle metalink can be tedious when you feel like studying to refresh memory. Does Oracle still have previous Oracle DBMS books available for purchase? Thank you.
Alexander, December 17, 2014 - 7:48 pm UTC
Tom,
As of version 11.2, should I be able to extract the password hash using dbms_metadata.get_ddl for a user and run that on another database and have the password work/be the same? I was able to do this in the past, but I can't recall the exact circumstances, but probably 10g. I swear I'd done it on 11g as well but lately I've been having problems with it.
Thanks.
December 17, 2014 - 11:29 pm UTC
11.2.0.4:
ops$tkyte%ORA11GR2> select dbms_metadata.get_ddl( 'USER', user ) from dual;
DBMS_METADATA.GET_DDL('USER',USER)
-------------------------------------------------------------------------------
CREATE USER "OPS$TKYTE" IDENTIFIED BY VALUES 'S:0087E82C62DD5C4E8BD178EF1649
CB63826BE8820BCC33F5430DC935B9C1;CF0015EA0385D263'
DEFAULT TABLESPACE "USERS"
TEMPORARY TABLESPACE "TMP"
similar in 12.1...
what is meant by "having problems with it", do you have an example of creating a user and then having this problem?
A reader, December 18, 2014 - 3:40 pm UTC
I mean, I did what you have shown, grabbed that string of gibberish and did an alter user identified by values '...' and the application people would report that the password stored in their datasource would no longer work. I think I may have made that password string one line thinking it wrapped, maybe that affected it. Looking back on it I should have just let impdp create the users since I was running one anyway to migrate to a new environment. But you answered my question, I basically just wanted to know if using that hash should work.
December 18, 2014 - 8:27 pm UTC
should work
ops$tkyte%ORA11GR2> connect ops$tkyte/foobar;
Connected.
ops$tkyte%ORA11GR2> set linesize 1000
ops$tkyte%ORA11GR2> column x format a1000
ops$tkyte%ORA11GR2> select dbms_metadata.get_ddl( 'USER', user )x from dual;
X
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
CREATE USER "OPS$TKYTE" IDENTIFIED BY VALUES 'S:0087E82C62DD5C4E8BD178EF1649CB63826BE8820BCC33F5430DC935B9C1;CF0015EA0385D263'
DEFAULT TABLESPACE "USERS"
TEMPORARY TABLESPACE "TMP"
ops$tkyte%ORA11GR2> alter user "OPS$TKYTE" IDENTIFIED BY VALUES 'S:0087E82C62DD5C4E8BD178EF1649CB63826BE8820BCC33F5430DC935B9C1;CF0015EA0385D263';
User altered.
ops$tkyte%ORA11GR2> connect ops$tkyte/foobar;
Connected.
ops$tkyte%ORA11GR2>
you might have fumbled the unwrapping. it should be just one big string - no spaces
passwords
sam, December 22, 2014 - 9:58 pm UTC
Tom,
In your database, when you have some application accounts and some user accounts
How do you normally set each schema/user password?
Do you follow some keyboard or algorithm pattern that can make it easy to remember when I try to login to application.
It seems we would have to write it on a piece of paper due to the number and complexity of passwords these days.
A reader, March 19, 2015 - 5:22 pm UTC
You can set the schema password same as database password
Hi, this is Bhagyshri.
Bhagyshri, August 21, 2019 - 7:01 pm UTC
Actually I have unlock system account and now I wamt to reset the password.but am getting error like invalid old password.
And now am not able to understand what to do.please help me out.
August 22, 2019 - 10:25 am UTC
What exactly are you doing and what errors are you getting?
Can you login as another user (e.g. sys) to change the password?