Using ALTER USER for changing passwords
We are looking at implementing password profiles on our database users and attaching a password verification function. I read where ALTER USER does not fully support password verification functions. In what way? I would hate to not be able to use ALTER USER for changing passwords.
Oracle Corp. has stated that the only approved methods of changing a password with a password verification function are through the SQL*Plus password command and through the OCIPasswordChange call. If a normal user uses the ALTER USER command and they have a password verification function, then they will receive an error, even if the password passes the verification function. If a DBA user issues the ALTER USER command, then the password verification function is bypassed. This was very frustrating because only SQL*Plus and OCI applications could use the password verfication function. Even Oracle's own products, like Oracle Forms could not have a user change the password if a password verification function was employed.
It took quite some time, but Oracle finally classified this as a bug, Bug #1231172. The Oracle 184.108.40.206 patchset, and Oracle 220.127.116.11 now have the capability to let the user issue a command as follows:
ALTER USER user IDENTIFIED BY 'newpassword' REPLACE 'oldpassword';
This command will let the user issue the ALTER USER command and still employ a password verification function.
This was first published in March 2004