This content has been marked as final. Show 5 replies
You seem to be asking for a comparison of two unrelated things?
The password verify function is used to enforce a desired level of password complexity when changing an Oracle password inside the database. It is not used when establishing a database connection.
I don't see how a shell script could verify a database password as part of making a connection. That password is stored inside the database, so you have to connect to check it. The stored password hash is not a form that a shell script could use to verify anything.
Perhaps I'm misunderstanding the question?
OK that makes more sense.
Benefits of the Oracle password verify function:
It works within the database - no need to call out to shell.
It is integrated with the database's password change functionality and authentication process.
Disadvantages of Oracle password verify function:
Any I can think of are also disadvantages of an external script, such as you need to protect and verify your code to ensure it cannot be modified to silently log passwords to some other location.
Benefits of a shell script:
If you are an expert in shell scripting, but not PL/SQL, this will appear faster to develop (but see below).
Disadvantages of a shell script:
You cannot enforce use of the shell script. None of the usual password change methods in Oracle call it or know it exists. Any user can use the sqlplus "password" command and circumvent your password validation shell script.
A shell script might be faster to write at first, but then you still have to write code inside Oracle to call that script which exists outside the database. This is generally more complex code than you would have to write for a password complexity function.
Oradb wrote:It doesn't matter who is implementing it.
If consultant does this task for us. which methods is best and reason?
If a shell script is enforcing password complexity, you would have to guarantee that no application ever did a password change without calling the script. That seems highly unlikely. Someone will want to change their password using SQL*Plus. Someone will want to change their password via TOAD or some other GUI. Someone will want to change their password using some other front end. A password verification function in the database will be invoked in all of these cases. A shell script will not. Unless you have an exceedingly expensive consultant that is an expert in shell scripting who has no experience whatsoever with PL/SQL and unless you can guarantee that no one today or in the future will want to use any of the established APIs to change their password rather than calling the shell script, use a password verification function.
Of course, if you want to get really technical, you could create a password verification function that, in turn, calls out to an operating system shell script. That would be a hugely overcomplicated architecture but it can be done.