Starting with Oracle Database 12.2.0.1 the orapwd utility – used to create Password Files for remote authentication – enforces complexity rules for the provided password.
Table of Contents
Problem
When you try to create a password file with a less secure password, the orapwd terminates with an OPW-00029 error.
$ orapwd file=$ORACLE_HOME/dbs/orapwDB01 password=oracle force=y OPW-00029: Password complexity failed for SYS user : Password must contain at least 8 characters.
The provided password must succeed the validation of the following password characteristics (extracted from the orapwd utility code).
- Password must contain at least 8 characters
- Password must not contain double quotes
- Password must contain at least 1 letter
- Password must contain at least 1 digit
- Password must contain at least 1 special character
- Password must not contain the username
- Password must not contain username reversed
Solution
Use strong password
To get rid of the above error, provide a password which fulfills all complexity requirements.
$ orapwd file=$ORACLE_HOME/dbs/orapwDB01 password=welcome1! force=y
Create Password File in 12c format
If you cannot set a strong password, you can use the old 12c Release 1 format using the format parameter – the default for this parameter is 12.2.
$ orapwd file=$ORACLE_HOME/dbs/orapwDB01 password=oracle format=12 force=y
Using the older 12c format has the disadvantage, that the following features are not supported.
- Granting administrative privileges to external users
- Enable SSL and Kerberos authentication for administrative users
But you have the possibilty to migrate a Password File to a newer format. During this migration the password complexity rules are ignored. You have to use different names for the involved Password Files.
# Create dummy Password File with old format $ orapwd file=$ORACLE_HOME/dbs/orapwDB01.tmp password=oracle format=12 # Migrate (copy) Password File to 12.2 format $ orapwd file=$ORACLE_HOME/dbs/orapwDB01 input_file=$ORACLE_HOME/dbs/orapwDB01.tmp # Remove dummy Password File $ rm $ORACLE_HOME/dbs/orapwDB01.tmp
Conclusion
A strong password for remote authentication using SYSDBA, SYSBACKUP etc. privilege is a good starting point to archieve a higher level of security accessing the database from the outside. The decision of Oracle to enforce a strong(er) password during creation time of the Password File is a little but good enhancement of the orapwd utility.
To verify the format of your Password File, just use the describe command of the orapwd utility.
$ orapwd describe file=$ORACLE_HOME/dbs/orapwDB01 Password file Description : format=12.2