Managing the Complexity of Passwords

Oracle Database provides a set of functions that you can use to manage the complexity of passwords.

About Password Complexity Verification

Complexity verification checks that each password is complex enough to protect against intruders who try to guess user passwords.

Using a complexity verification function forces users to create strong, secure passwords for database user accounts. You must ensure that the passwords for your users are complex enough to provide reasonable protection against intruders who try to break into the system by guessing passwords.

How Oracle Database Checks the Complexity of Passwords

Oracle Database provides four password verification functions to check password complexity.

These functions are in the catpvf.sql PL/SQL script (located in $ORACLE_HOME/rdbms/admin). When these functions are enabled, they can check whether users are correctly creating or modifying their passwords. When enabled, password complexity checking is not enforced for user SYS; it only applies to non-SYS users. For better security of passwords, Oracle recommends that you associate the password verification function with the default profile. About Customizing Password Complexity Verification provides an example of how to accomplish this.

Who Can Use the Password Complexity Functions?

The password complexity functions enable you to customize how users access your data.

Before you can use the password complexity verification functions in the CREATE PROFILE or ALTER PROFILE statement, you must be granted the EXECUTE privilege on them.

The password verification functions are located in the SYS schema.

verify_function_11G Function Password Requirements

The verify_function_11G function originated in Oracle Database Release 11g.

Note: The verify_function_11G function has been deprecated because it enforces the weaker password restrictions from earlier releases of Oracle Database. Instead, you should use the ORA12C_VERIFY_FUNCTION, ORA12C_STRONG_VERIFY_FUNCTION, ORA12C_STIG_VERIFY_FUNCTION functions, which enforce stronger, more up-to-date password verification restrictions.

This function checks for the following requirements when users create or modify passwords:

The following internal check is also applied:

ora12c_verify_function Password Requirements

The ora12c_verify_function function fulfills the Department of Defense Database Security Technical Implementation Guide requirements.

This function checks for the following requirements when users create or modify passwords:

The following internal check is also applied:

ora12c_strong_verify_function Function Password Requirements

The ora12c_strong_verify_function function is a stringent password verify function.

This function checks for the following requirements when users create or modify passwords:

' ~ ! @ # $ % ^ & * ( ) _ - + = { } [ ] \ / < > , . ; ? ' : | (space)

The following internal check is also applied:

ora12c_stig_verify_function Password Requirements

The ora12c_stig_verify_function function fulfills the Security Technical Implementation Guides (STIG) requirements.

This function checks for the following requirements when users create or modify passwords:

The following internal check is also applied:

The ora12c_stig_verify_function function is the default handler for the ORA_STIG_PROFILE profile, which is available in a newly-created or upgraded Oracle database.

About Customizing Password Complexity Verification

Oracle Database enables you to customize password complexity for your site.

You can create your own password complexity verification function in the SYS schema, similar to the functions that are defined in admin/catpvf.sql. In fact, Oracle recommends that you do so to further secure your site’s passwords.

Note the following:

Enabling Password Complexity Verification

The catpvf.sql script can be customized to enable password complexity verification.

To enable password complexity verification, you must edit the catpvf.sql script to use the password verification function that you want, and then run the script to enable it.

  1. Log in to SQL*Plus with administrative privileges.

    For example:

CONNECT SYSTEM
Enter password: password
  1. Run the catpvf.sql script (or your modified version of this script) to create the password complexity functions in the SYS schema.
@$ORACLE_HOME/rdbms/admin/catpvf.sql
  1. Grant any users who must use this function the EXECUTE privilege on it.

    For example:

GRANT pmsith EXECUTE ON ora12c_strong_verify_function;
  1. In the default profile or the user profile, set the PASSWORD_VERIFY_FUNCTION setting to either the sample password complexity function in the catpvf.sql script, or to your customized function. Use one of the following methods:

    • Log in to SQL*Plus with administrator privileges and use the CREATE PROFILE or ALTER PROFILE statement to enable the function. Ensure that you have the EXECUTE privilege on the function.

      For example, to update the default profile to use the ora12c_strong_verify_function function:

ALTER PROFILE default LIMIT
 PASSWORD_VERIFY_FUNCTION ora12c_strong_verify_function;
- In Oracle Enterprise Manager Cloud Control, from the **Administration** menu, select **Security**, and then **Profiles**. Select the **Password** tab. Under **Complexity**, from the **Complexity function** list, select the name of the complexity function that you want. Click **Apply**.

After you have enabled password complexity verification, it takes effect immediately. If you must disable it, then run the following statement:

ALTER PROFILE DEFAULT LIMIT PASSWORD_VERIFY_FUNCTION NULL;
  <div class="infoboxnote" markdown="1">


  **Note:**


  The `ALTER USER` statement has a `REPLACE` clause. With this clause, users can change their own unexpired passwords by supplying the previous password to authenticate themselves.


  If the password has expired, then the user cannot log in to SQL to issue the `ALTER USER` command. Instead, the `OCIPasswordChange()` function must be used, which also requires the previous password.


  A database administrator with `ALTER ANY USER` privilege can change any user password (force a new password) without supplying the old one.


  </div>