Password Verify Function Not Enforcing Difference Between Old and New Passwords

(Doc ID 816932.1)

Last updated on NOVEMBER 03, 2015

Applies to:

Oracle Database - Enterprise Edition - Version to [Release 10.1 to 11.2]
Information in this document applies to any platform.
Checked for relevance on 21-May-2013


This article explains why in certain circumstances the password verification function (as set by the PASSWORD_VERIFY_FUNCTION parameter of a user profile), can not check the differences between the old and the new passwords.


In this note we will assume that you have implemented the password verify function as per the example provided by Oracle in $ORACLE_HOME/rdbms/admin/utlpwdmg.sql
You can normally make your own changes to this function to suit your own needs, for the purposes of this note we will assume that the function is implemented without changes.

This example script contains a check to see if the new password differs by at least 3 characters from the old password. In some cases, as described below, you might find that this check is bypassed.


Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms