Managing Passwords for Administrative Users

The passwords of administrative users have special protections, such as password files and password complexity functions.

About Managing Passwords for Administrative Users

The passwords of administrative users are stored outside of the database so that the users can be authenticated even when the database is not open.

There is no special protection with the password file. The password verifiers must be stored outside of the database so that authentication can be performed even when the database is not open. In previous releases, password complexity functions were available for non-administrative users only. Starting with Oracle Database release 12c (12.2), password complexity functions can be used for both non-administrative users and administrative users.

Setting the LOCK and EXPIRED Status of Administrative Users

Administrative users whose accounts have been locked cannot connect to the database.

For example:

ALTER USER hr_admin ACCOUNT UNLOCK;

If the administrative user’s password has expired, then the next time the user attempts to log in, the user will be prompted to create a new password.

Password Profile Settings for Administrative Users

There are several user profile password settings that are enforced for administrative users.

These password profile parameters are as follows:

Last Successful Login Time for Administrative Users

The last successful login time of administrative user connections that use password file-based authentication is captured.

To find this login time, query the LAST_LOGIN column of the V$PWFILE_USERS dynamic performance view.

Management of the Password File of Administrative Users

Setting the ORAPWD utility FORMAT parameter to 12.2 enables you to manage the password profile parameters for administrative users.

The password file is particularly important for administrative users because it stores the administrative user’s credentials in an external file, not in the database itself. This enables the administrative user to log in to a database that is not open and perform tasks such as querying the data dictionary views. To create the password file, you must use the ORAPWD utility.

The FORMAT parameter setting of 12.2, which is the default setting, enables the password file to accommodate the password profile information for the administrative user.

For example:

orapwd file=orapworcl input_file=orapwold format=12.2
...

Setting FORMAT to 12.2 enforces the following rules:

FORMAT=12.2 also applies the following internal checks:

The following user profile password settings are enforced for administrative users:

You can find the administrative users who have been included in the password file and their administrative privileges by querying the V$PWFILE_USERS dynamic view.

Migration of the Password File of Administrative Users

The ORAPWD utility input_file parameter or DBUA can be used to migrate from earlier password file formats to the 12 or 12.2 format.

You can migrate from earlier password file formats to the 12 or 12.2 format by using either the ORAPWD utility file and input_file parameters, or by using Oracle Database Upgrade Assistant (DBUA).

orapwd file=orapworcl input_file=orapwold format=12.2

How the Multitenant Option Affects Password Files for Administrative Users

In a multitenant environment, the password information for the local and common administrative users is stored in different locations.

Password Complexity Verification Functions for Administrative Users

For better security, use password complexity verification functions for the passwords of administrative users.

Note the following: