Case-Insensitive Passwords and ORA-1017 Invalid Username or Password

The Oracle Database 12c release 2 (12.2) default authentication protocol is 12 (Exclusive Mode). This protocol requires case-sensitive passwords for authentication. Review your options if you have earlier release password versions.

Starting with Oracle Database 12c release 2 (12.2), the default value for the SQLNET.ORA parameter ALLOWED_LOGON_VERSION_SERVER is changed to 12. This parameter refers to the logon authentication protocol used for the server, not the Oracle Database release.

By default, Oracle no longer supports case-insensitive password-based authentication; only the new password versions (11G and 12C) are allowed. The case-insensitive 10G password version is no longer generated.

If the following conditions are true, then you may have accounts that are prevented from logging into the database after upgrading to 12.2:

  • You are upgrading a server that has user accounts created in an earlier Oracle Database release.

  • User accounts created in the earlier release use a case-insensitive password version from an earlier release authentication protocol, such as the 10G password version.

  • Earlier release user accounts have not reset passwords.

  • The server has been configured with SEC_CASE_SENSITIVE_LOGON set to FALSE, so that it can only authenticate users who have a 10G case-insensitive password version.

If you have accounts that require 10G password versions, then to prevent accounts using that password version from being locked out of the database, you can change from an Exclusive Mode to a more permissive authentication protocol.


Oracle does not support case-insensitive password-based authentication while running in an Exclusive Mode. The default authentication protocol in Oracle Database 12c release 2 (12.2) is an Exclusive Mode. Oracle only supports case-insensitive authentication with the following conditions:

  • The server is running in a mode other than an Exclusive Mode

  • The 10G password version is present

Option for Servers with Accounts Using Only 10G Password Version

After you upgrade to Oracle Database 12c release 2 (12.2), complete the following procedure to enable accounts using the 10G password version:

  1. Log in as an administrator.

  2. Edit the SQLNET.ORA file to change the SQLNET.ALLOWED_LOGON_VERSION_SERVER setting from the default, 12, to 11 or lower. For example:


After you change to a more permissive SQLNET.ALLOWED_LOGON_VERSION_SERVER setting, expire users’ passwords to require them to change their passwords. For detailed information, refer to Oracle Database Security Guide.