Case sensitive passwords
Database passwords in Oracle 11g are case sensitive, while passwords for earlier versions are not. Oracle 11g now implements a more secure SHA1 algorithm that supports mixed-case passwords and add salts to stored passwords. Multi-byte passwords are also supported in 11g. This functionality is controlled by a new initialization parameter, SEC_CASE_SENSITIVE_LOGON (default is TRUE).
Weaker password hashes are still being stored in the SYS.USER$ table for passwords created in prior releases. Hence, it is recommended to change all passwords after upgrading to 11g.
 Test case
Let start by creating a new user, called Michel:
SQL> CREATE USER Michel IDENTIFIED BY Michel DEFAULT TABLESPACE users TEMPORARY TABLESPACE temp; User created. SQL> GRANT create session TO Michel; Grant succeeded.
Let's try to connect to the Michel user:
Test 1: Connect with both lower cases for user name and the password:
SQL> conn michel/michel ERROR: ORA-01017: invalid username/password; logon denied Warning: You are no longer connected to ORACLE.
Test 2: Provide the proper username with lowercase password:
SQL> conn Michel/michel ERROR: ORA-01017: invalid username/password; logon denied
Test 3: Use the correct username and password:
SQL> conn Michel/Michel Connected.
Notice that it connected by providing the case sensitive user name and password.
Test 4: Try with a case insensitive user name and case sensitive password:
SQL> conn michel/Michel Connected. SQL>
From the above we can see that passwords are case sensitive in Oracle 11g, while user names are still case insensitive as before.