3 Replies Latest reply: Jun 3, 2011 5:21 AM by krzyhu RSS

    PASSWORD_VERIFY_FUNCTION - ORA-28221 - REPLACE workaround

    krzyhu
      Hi,

      I've implemented the out-of-box PASSWORD_VERIFY_FUNCTION (utlpwdmg.sql) however I am not too happy about "ORA-28221: REPLACE not specified" whenever the user wants to change it's own password:

      SQL> connect USER1/"ABC123!@#"
      Connected

      SQL> ALTER USER USER1 IDENTIFIED BY "QWE123!@#"
      ORA-28221: REPLACE not specified

      however:
      SQL> ALTER USER USER1 IDENTIFIED BY "QWE123!@#" REPLACE "ABC123!@#"
      User altered

      It's a nice feature to request the old password from user before the change, however, in my humble optinion it should be optional.
      From my experience, the very most of the database applications are not capable to handle this "mandatory feature". When user is already logged-in to the applciation the password change is simply done by ALTER USER <USERNAME> IDENTIFIED BY "<PASSWORD>" (without REPLACE "<old_password>").
      This brings a risk that enabling PASSWORD_VERIFY_FUNCTION on the database profiles requires development costs on the database applications...

      I am affraid that tweak/tune of the PASSWORD_VERIFY_FUNCTION utlpwdmg.sql won't give any results as the REPLACE is required by system, not by function.
      I wish that my function would check only the password strength. The password re-use is guarded by PASSWORD_REUSE_TIME and PASSWORD_REUSE_MAX anyhow.
      Would anyone please know how to workaround the ORA-28221: REPLACE not specified "mandatory feature"?

      Best regards,
      Krzysztof