It is good security practice to change passwords regularly. When changing a database password, however, the problem arises that applications that access this database have to be reconfigured if the password changes. If multiple applications or services use the same database user, then they all need to be reconfigured at once, typically during a scheduled downtime.
Oracle 21c introduced a new feature called Gradual Password Rollover that can help make such a password change less disruptive. The feature was also backported to Oracle 19c. If this feature is switched on for a user profile, a transition time is granted when the password is changed, during which both the old and the new password are valid. The applications can then change their configuration to the new password within this period according to their own schedule.
How to enable it
You must first be logged in as a privileged user who is allowed to manage users. The grace period for which both passwords should be valid after a password change is set via a user profile. A user profile is a set of limits on the database resources and the user password. The profile setting for this feature is called
PASSWORD_ROLLOVER_TIME. You either create a new profile and specify this setting as a limit, or you adjust an existing profile. Here are both variants:
-- Create a new profile ... CREATE PROFILE example_profile LIMIT PASSWORD_ROLLOVER_TIME 1; -- ... or alter an existing profile ALTER PROFILE example_profile LIMIT PASSWORD_ROLLOVER_TIME 1;
The unit of this setting is days. The minimum value is one hour (1/24) and the maximum value is 60 (days). You can assign this profile to a user with the following statement:
ALTER USER example_user PROFILE example_profile;
Now change the user’s password:
ALTER USER example_user IDENTIFIED BY thenewpassword;
Now you should be able to log in as this user with both the old and the new password. You can query the current status from the
SELECT username, account_status, profile FROM dba_users WHERE username='example_user';
The value of the
account_status column should have changed from
OPEN & IN ROLLOVER. This indicates that the user account is in the password rollover phase, and two passwords are active at the same time. You can end this period early with the following command:
ALTER USER example_user EXPIRE PASSWORD ROLLOVER PERIOD;
A final note: If you change the password again during the rollover period only the original password (the one before the rollover period was started) and the latest password are valid, which means a user account can’t have more than two valid passwords at the same time.