Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Require old password when setting a new password to a specific user in Oracle

Tags:

database

change-password

oracle

oracle12c

Does Oracle 12 support having the old password required when changing a password to a specific user?

What I would like:

ALTER USER user_a IDENTIFIED BY secret123;
-- ERROR, missing old password

ALTER USER user_a IDENTIFIED BY secret456 REPLACE secret123;
-- OK

ALTER USER user_b IDENTIFIED BY secret789;
-- OK, since user_b does not require old password when changing it

Thanks!

like image 776
Jostein Topland Avatar asked Oct 17 '22 17:10

Jostein Topland

1 Answers

Yes, this is supported since Oracle 9i, when a function was introduced that checks a new password for complexity and optionally for difference to the old password. As Oracle stores only hashes, not the passwords, it cannot compare old and new passwords unless the user supplies it during the change.

So, all users with a PROFILE where the PASSWORD_VERIFY_FUNCTION is set are required to have the old password, even if this function doesn't check any passwords:

CREATE OR REPLACE FUNCTION always_true (
  username     VARCHAR2, 
  password     VARCHAR2, 
  old_password VARCHAR2) RETURN boolean IS
BEGIN
  RETURN TRUE;
END always_true;
/

CREATE PROFILE always_true 
  LIMIT PASSWORD_VERIFY_FUNCTION always_true;

CREATE USER user_a IDENTIFIED BY secret123 PROFILE always_true;
GRANT CREATE SESSION to user_a;

Now user_a has to specify the old password:

ALTER USER user_a IDENTIFIED BY secret123;
ORA-28221: REPLACE not specified

ALTER USER user_a IDENTIFIED BY secret456 REPLACE secret123;
User altered.

A user with a profile without PASSWORD_VERIFY_FUNCTION or this parameter set to NULL doesn't have to specify the old password:

CREATE PROFILE without_function 
  LIMIT PASSWORD_VERIFY_FUNCTION NULL;

CREATE USER user_b IDENTIFIED BY secret123 PROFILE without_function;
GRANT CREATE SESSION to user_b;

Now user_b can change his/her password without having the old password:

ALTER USER user_b IDENTIFIED BY secret789;
User altered.

The second option is to have the privilege ALTER USER, but that is only for administrators, as they can change all the passwords of all account.

like image 64
wolφi Avatar answered Oct 21 '22 00:10

wolφi
Sign in to Comment

Related questions

Get created table name
Invalid object name when updating after renaming table
How to reorder columns in DataGrip or IntelliJ?
jdbc : Could not create connection to database server [duplicate]
Search Database via Google Custom Search? Attached Google CSE to (SQL/NoSQL) Database for website?
Querying JSON simultaneously on Oracle DB with JSON_TABLE and Java
MySQL Workbench- Forward Engineer not adding new column to schema
Change Oracle User Password Expiry Date
How to use sessions with connect-mongo?
How do I resolve index was out of range. Must be non-negative and less than the size of the collection. Error
How to check if a DB exists in Android?
Match a Query to a Regular Expression in SQL?
Is it worth breaking out address information into a separate database table?
TSQL - If..Else statement inside Table-Valued Functions - cant go through
How do I set up the database.yml file in Rails?
Query a Table's Foreign Key relationships
Difference between time-series database and relational database
What is the MariaDB dialect class name for Hibernate?
The best way to use a DB table as a job queue (a.k.a batch queue or message queue)
How to get current instance name from T-SQL

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!