Skip to Main Content
  • Questions

  • PASSWORD_ROLLOVER_TIME - check actual expiry date

Breadcrumb

Question and Answer

Chris Saxon

Thanks for the question.

Asked: September 17, 2024 - 6:42 am UTC

Last updated: July 07, 2025 - 10:15 am UTC

Version: 19.24

Viewed 100K+ times! This question is

You Asked

Hi "Tom",

A question regarding the Gradual Password Rollover feature. I'm running Oracle Enterprise 19.24 on Linux.


Consider this example, assuming I run it on September 1st:

create profile PWROLLOVER limit password_rollover_time 10;

alter user SCOTT profile PWROLLOVER;
alter user SCOTT identified by "Lion2024";


This means that Scott will be able to use the old and new password until September 10th, after that the old password will expire and only the new one will work. I review this date by checking PASSWORD_CHANGE_DATE from DBA_USERS and the respective LIMIT from DBA_PROFILES.

So far so good.

Now consider this, executed on September 5th:

alter profile PWROLLOVER limit password_rollover_time 30;

To my knowledge, the expiry date of the old password is set when it is changed, so it will remain Sep. 10th.

Q1: Is this correct?

Q2: How/where can I see the actual expiry date for Scott after the profile change?

Thanks!
Bjoern

and Chris said...

No. The database uses the current password_rollover_time to determine when the rollover period ends.

If you change this limit when a user is in the rollover period, it ends at whatever the current password_change_date + limit is. In your example you get an extra 20 days to change scott's connections.

So you can use a query like this to see when users' rollovers will end:

select 
       username, profile, account_status, password_change_date,
       case 
         when account_status like '%ROLLOVER%' then
           password_change_date + limit 
       end rollover_ends
from   dba_users 
join   dba_profiles
using  ( profile )
where  resource_name = 'PASSWORD_ROLLOVER_TIME';

Rating

  (2 ratings)

Is this answer out of date? If it is, please let us know via a Comment

Comments

Bjoern, September 19, 2024 - 10:33 am UTC

That was very helpful. Thank you so much!
Chris Saxon
September 20, 2024 - 11:11 am UTC

You're welcome

Current used password when rollover is active

SAMER M. ALJAZZAR, July 06, 2025 - 8:30 am UTC

Hi ,

How can i find which password is currently used for a user who is in open+ rollover ?
Chris Saxon
July 07, 2025 - 10:15 am UTC

You can see who is still using their old password by auditing login events. Users who haven't migrated to the new password will have OLD in the VERIFIER section of the authentication_type:

SELECT DBUSERNAME, AUTHENTICATION_TYPE, OS_USERNAME, USERHOST, EVENT_TIMESTAMP 
FROM UNIFIED_AUDIT_TRAIL 
WHERE ACTION_NAME='LOGON' AND EVENT_TIMESTAMP > SYSDATE-1
AND REGEXP_LIKE(AUTHENTICATION_TYPE, '\(VERIFIER=.*?\-OLD\)');


https://docs.oracle.com/en/database/oracle/oracle-database/23/dbseg/configuring-authentication.html#GUID-2C318699-0F38-4F08-993A-070DB944712D
more

Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's channel and Chris's channel from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.