What Are the Default Restrictions on Oracle Passwords?
Categories: Database Administration, Information Technology, OracleWhat are the valid characters for Oracle passwords? This is a more complicated question than you would think. Here are the basic restrictions on Oracle passwords. I believe these apply to all (8i or later) Oracle database versions; however I did these examples in a 10gR2 instance.
First the rules:
Passwords can be from 1 to 30 characters.
The first character in an Oracle password must be a letter.
Only letters, numbers, and the symbols “#”, “_” and “$” are acceptable in a password.
Examples:
SQL> alter user jemmons identified by abc123;
User altered.
SQL> alter user jemmons identified by 123abc;
alter user jemmons identified by 123abc
*
ERROR at line 1:
ORA-00988: missing or invalid password(s)
SQL> alter user jemmons identified by abc!123;
alter user jemmons identified by abc!123
*
ERROR at line 1:
ORA-00922: missing or invalid option
In the first example we see a password that meets all the rules. The second password starts with a number and therefore fails. The third example contains the special character “!” and fails.
Now the exception:
By placing double quotes around a password you can use most standard ASCII characters in a password.
Examples:
SQL> alter user jemmons identified by "123abc";
User altered.
SQL> connect jemmons/123abc;
Connected.
SQL> alter user jemmons identified by "abc!123";
User altered.
SQL> connect jemmons/abc!123;
Connected.
We see that the quotes let us work around some of these restrictions. This is useful if you are working in a fairly simple environment, however if it is possible that a user’s password could be changed by means which you do not control it is likely doing this would cause more confusion than it would solve.
It is also worth note that capitalization is not considered when storing Oracle passwords. Here’s an example:
SQL> alter user jemmons identified by ABC123;
User altered.
SQL> connect jemmons/abc123;
Connected.
Before the password is encrypted into the database it is put in all caps. When you enter a password for authentication it is capitalized so it can be compared against the stored encrypted password.
4 Responses to “What Are the Default Restrictions on Oracle Passwords?”
-
Jon Says:
November 8th, 2005 at 8:20 pmElsewhere in the blogosphere…
Pete Finnigan’s Oracle Weblog has some fantastic information on Oracle password security and many other Oracle topics. He’s one of the folks out there with his finger on the pulse! When you get tired of my attention deficit ramblings, check him out at petefinnigan.com -
ko Says:
November 14th, 2005 at 3:18 amOne thing that I’ve seen where this can be very useful is setting passwords for accounts used solely by applications. If you set the password to some unprintable characters (say the new line character), then it is much harder for people to type that into sqlplus to gain access to the system but your application can still use that password…
Just a thought.
-
sachin Says:
April 26th, 2011 at 1:46 amHi,
Nice one!!!
I am using 10g and wanted schema passowd contain ” (double quote). Is that possible? If yes, in which version? COuld any post exmaple?
Thanks
Sachin Mali -
Pete Says:
September 12th, 2011 at 6:56 amok, I tried with “word001#” and I still get the above error
Any suggestions?
