orapwd enforces password complexity rules in 12.2.0.1

Starting with Oracle Database 12.2.0.1 the orapwd utility – used to create Password Files for remote authentication – enforces complexity rules for the provided password.

Problem

When you try to create a password file with a less secure password, the orapwd terminates with an OPW-00029 error.

$ orapwd file=$ORACLE_HOME/dbs/orapwDB01 password=oracle force=y

OPW-00029: Password complexity failed for SYS user : Password must contain at least 8 characters.

The provided password must succeed the validation of the following password characteristics (extracted from the orapwd utility code).

  • Password must contain at least 8 characters
  • Password must not contain double quotes
  • Password must contain at least 1 letter
  • Password must contain at least 1 digit
  • Password must contain at least 1 special character
  • Password must not contain the username
  • Password must not contain username reversed

Solution

Use strong password

To get rid of the above error, provide a password which fulfills all complexity requirements.

$ orapwd file=$ORACLE_HOME/dbs/orapwDB01 password=welcome1! force=y

Create Password File in 12c format

If you cannot set a strong password, you can use the old 12c Release 1 format using the format parameter – the default for this parameter is 12.2.

$ orapwd file=$ORACLE_HOME/dbs/orapwDB01 password=oracle format=12 force=y

Using the older 12c format has the disadvantage, that the following features are not supported.

  • Granting administrative privileges to external users
  • Enable SSL and Kerberos authentication for administrative users

But you have the possibilty to migrate a Password File to a newer format. During this migration the password complexity rules are ignored. You have to use different names for the involved Password Files.

# Create dummy Password File with old format
$ orapwd file=$ORACLE_HOME/dbs/orapwDB01.tmp password=oracle format=12
# Migrate (copy) Password File to 12.2 format
$ orapwd file=$ORACLE_HOME/dbs/orapwDB01 input_file=$ORACLE_HOME/dbs/orapwDB01.tmp
# Remove dummy Password File
$ rm $ORACLE_HOME/dbs/orapwDB01.tmp

Conclusion

A strong password for remote authentication using SYSDBA, SYSBACKUP etc. privilege is a good starting point to archieve a higher level of security accessing the database from the outside. The decision of Oracle to enforce a strong(er) password during creation time of the Password File is a little but good enhancement of the orapwd utility.

To verify the format of your Password File, just use the describe command of the orapwd utility.

$ orapwd describe file=$ORACLE_HOME/dbs/orapwDB01
Password file Description : format=12.2

References

Leave a Reply

Your email address will not be published. Required fields are marked *