Password Verify Function Not Enforcing Difference Between Old and New Passwords
(Doc ID 816932.1)
Last updated on MAY 02, 2021
Applies to:Oracle Database Backup Service - Version N/A and later
Oracle Database Cloud Exadata Service - Version N/A and later
Oracle Database Cloud Service - Version N/A and later
Oracle Database - Enterprise Edition - Version 10.1.0.2 to 220.127.116.11 [Release 10.1 to 11.2]
Oracle Database Cloud Schema Service - Version N/A and later
Information in this document applies to any platform.
Checked for relevance on 21-May-2013
This article explains why in certain circumstances the password verification function (as set by the PASSWORD_VERIFY_FUNCTION parameter of a user profile), can not check the differences between the old and the new passwords.
In this note we will assume that you have implemented the password verify function as per the example provided by Oracle in $ORACLE_HOME/rdbms/admin/utlpwdmg.sql
You can normally make your own changes to this function to suit your own needs, for the purposes of this note we will assume that the function is implemented without changes.
This example script contains a check to see if the new password differs by at least 3 characters from the old password. In some cases, as described below, you might find that this check is bypassed.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document
|All 3 normal ways of changing a password for normal users do not have any problems|
|Using the ALTER USER privilege means the old password is not needed|
|Users with the ALTER USER privilege changing their own password|
|Preventing the use of the ALTER USER privilege|