Password Verify Function Not Enforcing Difference Between Old and New Passwords
(Doc ID 816932.1)
Last updated on SEPTEMBER 25, 2018
Oracle Database - Enterprise Edition - Version 10.1.0.2 to 220.127.116.11 [Release 10.1 to 11.2] Information in this document applies to any platform.
Checked for relevance on 21-May-2013
This article explains why in certain circumstances the password verification function (as set by the PASSWORD_VERIFY_FUNCTION parameter of a user profile), can not check the differences between the old and the new passwords.
In this note we will assume that you have implemented the password verify function as per the example provided by Oracle in $ORACLE_HOME/rdbms/admin/utlpwdmg.sql You can normally make your own changes to this function to suit your own needs, for the purposes of this note we will assume that the function is implemented without changes.
This example script contains a check to see if the new password differs by at least 3 characters from the old password. In some cases, as described below, you might find that this check is bypassed.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!