Thursday, December 29, 2011

ORA-28008

This is a simple example using the replace clause of the alter user statement. First log in as an administrator and create a user:
  
SQL> conn system/manager
Connected.
SQL> grant create session to andrew
  2  identified by reid1
  3  /

Grant succeeded.
 
SQL>


Now change the user's password. The replace clause allows you to provide the old password. In this case the correct value is given:


SQL> alter user andrew
  2  identified by reid2
  3  replace reid1
  4  /

User altered.

SQL>

Change the user's password again. This time the replace clause supplies the incorrect password:
  
SQL> alter user andrew
  2  identified by reid3
  3  replace reid1
  4  /

User altered.

SQL>
  
The change was accepted. There are 2 reasons for this:
  1. Oracle does not store a password's unencrypted value.
  2. An administrator may not know the value of an old password.
Now restore the original password:
  
SQL> alter user andrew
  2  identified by reid1
  3  /

User altered.

SQL> 

  
Then connect as the new user and repeat the test:
  
SQL> conn andrew/reid1
Connected.
SQL> alter user andrew
  2  identified by reid2
  3  replace reid1
  4  /

User altered.

SQL> alter user andrew
  2  identified by reid3
  3  replace reid1
  4  /
alter user andrew
*
ERROR at line 1:
ORA-28008: invalid old password

SQL> 

The 2nd change was not accepted. There are a couple of reasons for this:
  1. A user should know the current value of his password.
  2. If Oracle changed a password when the old password was supplied incorrectly, there would be nothing to stop somebody else changing your password if you left your terminal unattended. 
Although Oracle does not store unencrypted passwords, it can still check old passwords if they are supplied. It does this by encrypting them and comparing that encrypted value with the encrypted value it has on file.

No comments: