Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Special characters in Oracle password

Re: Special characters in Oracle password

From: Pete Finnigan <oracle_list_at_peterfinnigan.demon.co.uk>
Date: Tue, 12 Oct 2004 13:22:02 +0100
Message-ID: <sL1XoxAqx8aBBxDq@peterfinnigan.demon.co.uk>


Hi,

If the password is not enclosed in quotes then it can include any letter, any digit, "_", "#" or "$" characters. Only a letter can be used in the first character, the other characters can be used after that. If on the other hand you enclose the password in quotes then you can use any character in any position. Lets see some examples:

Connected to:
Personal Oracle9i Release 9.2.0.1.0 - Production With the Partitioning, OLAP and Oracle Data Mining options JServer Release 9.2.0.1.0 - Production

SQL>
SQL> connect sys/a_at_sans as sysdba
Connected.
SQL> -- create a user with the valid character set SQL> create user test01 identified by abc123_$#;

User created.

SQL> -- change his password again with the valid character set SQL> alter user test01 identified by abc456#_$;

User altered.

SQL> -- try and create a user with a password that does not start 
SQL> -- with a letter
SQL> create user test02 identified by 123abc#_$;
create user test02 identified by 123abc#_$

*

ERROR at line 1:
ORA-00988: missing or invalid password(s)
SQL> -- It fails as you should only be able to create a user with
SQL> -- a password starting with a letter
SQL> -- now try with a password starting with one of the three 
SQL> -- special characters.
SQL> create user test02 identified by _123abc;
create user test02 identified by _123abc

*

ERROR at line 1:
ORA-00911: invalid character
SQL> -- another failure, this time an invalid character. Now try and 
SQL> -- create a user with special characters but not valid ones.
SQL> create user test02 identified by abc123^*;
create user test02 identified by abc123^*
                                       *
ERROR at line 1:
ORA-00922: missing or invalid option
SQL> -- OK, fails again as expected but this time a different error
SQL> -- message. Next try and create a user with any special characters
SQL> -- but this time enclosed in quotes. This should work.
SQL> create user test02 identified by "^*abc£";

User created.

SQL> -- it works as expected. Now try an alter user again with any
SQL> -- special characters.
SQL> alter user test02 identified by "%$ghj^";

User altered.

SQL> -- again it works as expected.

The above examples show that you can use letters, digits and _#$ without quotes and any character with quotes both for create statements and also for alter user statements. It is also possible to use control characters in passwords to make it difficult to use the password on the command line such as carriage returns.

Kind regards

Pete

-- 
Pete Finnigan (email:pete_at_petefinnigan.com)
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.

--
http://www.freelists.org/webpage/oracle-l
Received on Tue Oct 12 2004 - 07:18:23 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US