Case sensitive passwords

From Oracle FAQ
Jump to: navigation, search

Database passwords in Oracle 11g are case sensitive, while passwords for earlier versions are not. Oracle 11g now implements a more secure SHA1 algorithm that supports mixed-case passwords and add salts to stored passwords. Multi-byte passwords are also supported in 11g. This functionality is controlled by a new initialization parameter, SEC_CASE_SENSITIVE_LOGON (default is TRUE).

Weaker password hashes are still being stored in the SYS.USER$ table for passwords created in prior releases. Hence, it is recommended to change all passwords after upgrading to 11g.

[edit] Test case

Let start by creating a new user, called Michel:

SQL> CREATE USER Michel IDENTIFIED BY Michel 
            DEFAULT   TABLESPACE users
            TEMPORARY TABLESPACE temp;
User created.

SQL> GRANT create session TO Michel;
Grant succeeded.

Let's try to connect to the Michel user:

Test 1: Connect with both lower cases for user name and the password:

SQL> conn michel/michel
ERROR:
ORA-01017: invalid username/password; logon denied
Warning: You are no longer connected to ORACLE.

Test 2: Provide the proper username with lowercase password:

SQL> conn Michel/michel
ERROR:
ORA-01017: invalid username/password; logon denied

Test 3: Use the correct username and password:

SQL> conn Michel/Michel
Connected.

Notice that it connected by providing the case sensitive user name and password.

Test 4: Try with a case insensitive user name and case sensitive password:

SQL> conn michel/Michel
Connected.
SQL>

From the above we can see that passwords are case sensitive in Oracle 11g, while user names are still case insensitive as before.