My Oracle Support Banner

Password Verify Function Not Enforcing Difference Between Old and New Passwords (Doc ID 816932.1)

Last updated on FEBRUARY 01, 2022

Applies to:

Oracle Database Backup Service - Version N/A and later
Oracle Database Cloud Exadata Service - Version N/A and later
Oracle Database Cloud Service - Version N/A and later
Oracle Database - Enterprise Edition - Version to [Release 10.1 to 11.2]
Oracle Database Cloud Schema Service - Version N/A and later
Information in this document applies to any platform.


This article explains why in certain circumstances the password verification function (as set by the PASSWORD_VERIFY_FUNCTION parameter of a user profile), can not check the differences between the old and the new passwords.


In this note we will assume that you have implemented the password verify function as per the example provided by Oracle in $ORACLE_HOME/rdbms/admin/utlpwdmg.sql
You can normally make your own changes to this function to suit your own needs, for the purposes of this note we will assume that the function is implemented without changes.

This example script contains a check to see if the new password differs by at least 3 characters from the old password. In some cases, as described below, you might find that this check is bypassed.


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document
 All 3 normal ways of changing a password for normal users do not have any problems
 Using the ALTER USER privilege means the old password is not needed
 Users with the ALTER USER privilege changing their own password
 Preventing the use of the ALTER USER privilege

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.