Starting with Oracle Database 12.2.0.1 the orapwd utility – used to create Password Files for remote authentication – enforces complexity rules for the provided password.
Problem
When you try to create a password file with a less secure password, the orapwd terminates with an OPW-00029 error.
| 123 | $ orapwd file=$ORACLE_HOME/dbs/orapwDB01 password=oracle force=y OPW-00029: Password complexity failed for SYS user : Password must contain at least 8 characters. |
The provided password must succeed the validation of the following password characteristics (extracted from the orapwd utility code).
- Password must contain at least 8 characters
- Password must not contain double quotes
- Password must contain at least 1 letter
- Password must contain at least 1 digit
- Password must contain at least 1 special character
- Password must not contain the username
- Password must not contain username reversed
Solution
Use strong password
To get rid of the above error, provide a password which fulfills all complexity requirements.
| 1 | $ orapwd file=$ORACLE_HOME/dbs/orapwDB01 password=welcome1! force=y |
Create Password File in 12c format
If you cannot set a strong password, you can use the old 12c Release 1 format using the format parameter – the default for this parameter is 12.2.
| 1 | $ orapwd file=$ORACLE_HOME/dbs/orapwDB01 password=oracle format=12 force=y |
Using the older 12c format has the disadvantage, that the following features are not supported.
- Granting administrative privileges to external users
- Enable SSL and Kerberos authentication for administrative users
But you have the possibilty to migrate a Password File to a newer format. During this migration the password complexity rules are ignored. You have to use different names for the involved Password Files.
| 123456 | # Create dummy Password File with old format$ orapwd file=$ORACLE_HOME/dbs/orapwDB01.tmp password=oracle format=12# Migrate (copy) Password File to 12.2 format$ orapwd file=$ORACLE_HOME/dbs/orapwDB01 input_file=$ORACLE_HOME/dbs/orapwDB01.tmp# Remove dummy Password File$ rm $ORACLE_HOME/dbs/orapwDB01.tmp |
Conclusion
A strong password for remote authentication using SYSDBA, SYSBACKUP etc. privilege is a good starting point to archieve a higher level of security accessing the database from the outside. The decision of Oracle to enforce a strong(er) password during creation time of the Password File is a little but good enhancement of the orapwd utility.
To verify the format of your Password File, just use the describe command of the orapwd utility.
| 12 | $ orapwd describe file=$ORACLE_HOME/dbs/orapwDB01Password file Description : format=12.2 |
References
credit: https://christian-gohmann.de/2017/05/08/orapwd-enforces-password-complexity-rules-in-12-2-0-1/