My Oracle Support Banner

Password Verify Function Not Enforcing Difference Between Old and New Passwords (Doc ID 816932.1)

Last updated on SEPTEMBER 25, 2018

Applies to:

Oracle Database - Enterprise Edition - Version 10.1.0.2 to 11.2.0.3 [Release 10.1 to 11.2]
Information in this document applies to any platform.
Checked for relevance on 21-May-2013


Symptoms

This article explains why in certain circumstances the password verification function (as set by the PASSWORD_VERIFY_FUNCTION parameter of a user profile), can not check the differences between the old and the new passwords.

Changes

In this note we will assume that you have implemented the password verify function as per the example provided by Oracle in $ORACLE_HOME/rdbms/admin/utlpwdmg.sql
You can normally make your own changes to this function to suit your own needs, for the purposes of this note we will assume that the function is implemented without changes.

This example script contains a check to see if the new password differs by at least 3 characters from the old password. In some cases, as described below, you might find that this check is bypassed.

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Changes
Cause
Solution
 All 3 normal ways of changing a password for normal users do not have any problems
 Using the ALTER USER privilege means the old password is not needed
 Users with the ALTER USER privilege changing their own password
 Preventing the use of the ALTER USER privilege
References

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.