This post shows that if a profile has a password verify function and you assign it to a user who does not have the ALTER USER privilege, that user will not be able to change his or her password without using the REPLACE option. You can see what I mean in the example below, which I tested in Oracle 11.1. First I created a password verify function:
SQL> conn / as sysdba
SQL> conn / as sysdba
Connected.
SQL> create or replace function my_verify_function (
2 username varchar2,
3 password varchar2,
4 old_password varchar2)
5 return boolean as
6 begin
7 if length(password) < 4 then
8 raise_application_error
9 (-20000, 'Password < 4 characters long');
10 else
11 return true;
12 end if;
13 end my_verify_function;
14 /
Function created.
SQL>
Then I created a profile to use my password verify function:
SQL> create profile for_andrew
Then I created a profile to use my password verify function:
SQL> create profile for_andrew
2 limit password_verify_function my_verify_function
3 /
Profile created.
SQL>
… and a user to assign the profile to:
SQL> create user andrew
… and a user to assign the profile to:
SQL> create user andrew
2 identified by reid1
3 profile for_andrew
4 /
User created.
SQL> grant create session to andrew
2 /
Grant succeeded.
SQL>
The user logged in and tried to change his password but this failed with an ORA-28221 because the user had not supplied the old password. This happens when you have a password verify function:
SQL> conn andrew/reid1
SQL> conn andrew/reid1
Connected.
SQL> alter user andrew
2 identified by reid2
3 /
alter user andrew
*
ERROR at line 1:
ORA-28221: REPLACE not specified
SQL>
The user then used REPLACE to supply the old password and the problem disappeared:
SQL> alter user andrew
The user then used REPLACE to supply the old password and the problem disappeared:
SQL> alter user andrew
2 identified by reid2
3 replace reid1
4 /
User altered.
SQL>
To prove that the password verify function was the cause of the problem, I removed it and the problem went away again:
SQL> conn / as sysdba
SQL> conn / as sysdba
Connected.
SQL> alter profile for_andrew
2 limit password_verify_function null
3 /
Profile altered.
SQL> conn andrew/reid2
Connected.
SQL> alter user andrew
2 identified by reid3
3 /
User altered.
SQL>
I reinstated the password verify function:
SQL> conn / as sysdba
I reinstated the password verify function:
SQL> conn / as sysdba
Connected.
SQL> alter profile for_andrew
2 limit password_verify_function my_verify_function
3 /
Profile altered.
SQL>
Then I granted the ALTER USER privilege to the user and this also solved the problem:
SQL> grant alter user to andrew
2 /
Grant succeeded.
SQL> conn andrew/reid3
Connected.
SQL> alter user andrew
2 identified by reid4
3 /
User altered.
SQL> conn andrew/reid4
Connected.
SQL>
The ALTER USER privilege allows a user to change other users' passwords so I revoked it:
SQL> conn / as sysdba
The ALTER USER privilege allows a user to change other users' passwords so I revoked it:
SQL> conn / as sysdba
Connected.
SQL> revoke alter user from andrew
2 /
Revoke succeeded.
SQL>
The error reappeared, as you might expect:
SQL> conn andrew/reid4
The error reappeared, as you might expect:
SQL> conn andrew/reid4
Connected.
SQL> alter user andrew
2 identified by reid5
3 /
alter user andrew
*west sussex
ERROR at line 1:
ORA-28221: REPLACE not specified
SQL>
One final option is to use the PASSWORD command, which allows a user to change his/her password without any restrictions:
SQL> password
One final option is to use the PASSWORD command, which allows a user to change his/her password without any restrictions:
SQL> password
Changing password for ANDREW
Old password:
New password:
Retype new password:
Password changed
SQL> conn andrew/reid5
Connected.
SQL>