Case sensitive passwords

From Oracle FAQ

Jump to: navigation, search

Database passwords in Oracle 11g are case sensitive, while passwords for earlier versions are not. Oracle 11g now implements a more secure SHA1 algorithm that supports mixed-case passwords and add salts to stored passwords. Multi-byte passwords are also supported in 11g. This functionality is controlled by a new initialization parameter, SEC_CASE_SENSITIVE_LOGON (default is TRUE).

Weaker password hashes are still being stored in the SYS.USER$ table for passwords created in prior releases. Hence, it is recommended to change all passwords after upgrading to 11g.

[edit] Test case

Let start by creating a new user, called DreamzZ: 

SQL> CREATE USER DreamzZ IDENTIFIED BY DreamzZ
            DEFAULT   TABLESPACE users
            TEMPORARY TABLESPACE temp;
User created.

SQL> GRANT create session TO DreamzZ;
Grant succeeded.

Let's try to connect to the DreamzZ user:

Test 1: Connect with both lower cases for user name and the password: 

SQL> conn dreamzz/dreamzz
ERROR:
ORA-01017: invalid username/password; logon denied
Warning: You are no longer connected to ORACLE.

Test 2: Provide the proper username with lowercase password: 

SQL> conn DreamzZ/dreamzz
ERROR:
ORA-01017: invalid username/password; logon denied

Test 3: Use the correct username and password: 

SQL> conn DreamzZ/DreamzZ
Connected.

Notice that it connected by providing the case sensitive user name and password.

Test 4: Try with a case insensitive user name and case sensitive password: 

SQL> conn dreamzz/DreamzZ
Connected.
SQL>

From the above we can see that passwords are case sensitive in Oracle 11g, while user names are still case insensitive as before.

Retrieved from "http://www.orafaq.com/wiki/Case_sensitive_passwords"
Personal tools