Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Oracle users and password changes

Re: Oracle users and password changes

From: Mladen Gogala <>
Date: Wed, 04 Apr 2007 12:26:03 -0400
Message-ID: <>

> We need to set up a process where Oracle
> users (currently few and mostly ODBC using Access) are notified
> and can change their password dynamically every 90 days.
> We were wondering what other companies do and any
> best practices? Any thoughts or comments appreciated.
> Thanks.
> Dianna G.

Most of the other companies have DBA personnel capable of reading documentation.
More specifically, I believe that there is a "CREATE PROFILE" statement described in the
documentation and that the following options are supported:

FAILED_LOGIN_ATTEMPTS Specify the number of failed attempts to log in to the user account before the account is locked.

PASSWORD_LIFE_TIME Specify the number of days the same password can be used for authentication. If you also set a value for |PASSWORD_GRACE_TIME|, the password expires if it is not changed within the grace period, and further connections are rejected. If you do not set a value for |PASSWORD_GRACE_TIME|, its default of |UNLIMITED| will cause the database to issue a warning but let the user continue to connect indefinitely.

PASSWORD_REUSE_TIME and PASSWORD_REUSE_MAX These two parameters must be set in conjunction with each other. |PASSWORD_REUSE_TIME| specifies the number of days before which a password cannot be reused. |PASSWORD_REUSE_MAX| specifies the number of password changes required before the current password can be reused. For these parameter to have any effect, you must specify an integer for both of them.


      If you specify an integer for both of these parameters, then the
      user cannot reuse a password until the password has been changed
      the password the number of times specified for
      |PASSWORD_REUSE_MAX| during the number of days specified for

      For example, if you specify |PASSWORD_REUSE_TIME| to 30 and
      |PASSWORD_REUSE_MAX| to 10, then the user can reuse the password
      after 30 days if the password has already been changed 10 times.


      If you specify an integer for either of these parameters and
      specify |UNLIMITED| for the other, then the user can never reuse a


      If you specify |DEFAULT| for either parameter, then Oracle
      Database uses the value defined in the |DEFAULT| profile. By
      default, all parameters are set to |UNLIMITED| in the |DEFAULT|
      profile. If you have not changed the default setting of
      |UNLIMITED| in the |DEFAULT| profile, then the database treats the
      value for that parameter as |UNLIMITED|.


      If you set both of these parameters to |UNLIMITED|, then the
      database ignores both of them.

PASSWORD_LOCK_TIME Specify the number of days an account will be locked after the specified number of consecutive failed login attempts.

PASSWORD_GRACE_TIME Specify the number of days after the grace period begins during which a warning is issued and login is allowed. If the password is not changed during the grace period, the password expires.

There are some other options, too, but those are not for beginners.

Received on Wed Apr 04 2007 - 11:26:03 CDT

Original text of this message