Error
Error Code: ORA-28209

Oracle Error ORA-28209: Server Name in Password

📦 Oracle Database
📋

Description

The ORA-28209 error in Oracle Database indicates that the password you entered contains the server's name. This is a security risk and Oracle prevents using server names within passwords to enhance database security.
💬

Error Message

ORA-28209: password contains the server name
🔍

Known Causes

3 known causes
⚠️
Server Name Inclusion
The password provided for the user account includes the name of the Oracle server or database instance. This is a common cause and the most direct interpretation of the error.
⚠️
Substring Match
A substring within the password matches a significant portion of the server name, even if it's not a direct, complete match.
⚠️
Case Insensitivity
The password contains the server name, or part of it, regardless of case (e.g., 'ServerName', 'servername').
🛠️

Solutions

3 solutions available

1. Change User Password to Exclude Server Name easy

Directly modify the user's password to remove any occurrence of the server's hostname or alias.

1
Connect to the Oracle database as a user with `ALTER USER` privileges (e.g., `SYS` or `SYSTEM`).
2
Identify the server name. This is usually the hostname of the machine where the Oracle database is running.
3
Execute the `ALTER USER` command to change the password for the affected user, ensuring the new password does not contain the server name.
ALTER USER username IDENTIFIED BY new_secure_password;
4
Replace `username` with the actual username experiencing the ORA-28209 error, and `new_secure_password` with a strong password that does not include the server name.

2. Update Application Connection Strings medium

Modify application configuration files or code to use a password that adheres to the server name exclusion policy.

1
Locate all application configuration files (e.g., `tnsnames.ora`, application property files, environment variables) or code sections where the database username and password are defined.
2
Identify the password associated with the Oracle database connection.
3
Update the password in these configurations to a new secure password that does not contain the server name. This might involve changing the password directly in the application's configuration or by using a password management system.
4
Ensure the application's database user (the one specified in the connection string) has a password that complies with the server name exclusion. If the application's database user is different from the one directly being logged into, you may need to alter that user's password as well.
5
Restart the application or relevant services to apply the updated connection string.

3. Review and Enforce Password Policies advanced

Proactively prevent this error by implementing or reinforcing Oracle's password complexity and verification policies.

1
Connect to the Oracle database as a user with `ALTER PROFILE` privileges (e.g., `SYS` or `SYSTEM`).
2
Create or modify a password profile that enforces password complexity rules, including preventing passwords from containing specific keywords like the server name.
CREATE PROFILE password_policy_profile LIMIT
  FAILED_LOGIN_ATTEMPTS 5
  PASSWORD_LIFE_TIME 90
  PASSWORD_REUSE_TIME 10
  PASSWORD_REUSE_MAX 5
  PASSWORD_VERIFY_FUNCTION ora12c_verify_function;

-- To prevent specific keywords, you might need a custom password verify function or a script that checks passwords on creation/modification.
3
Assign this profile to the relevant users. If you want to apply it globally, you can assign it to the `DEFAULT` profile.
ALTER USER username PROFILE password_policy_profile;
-- Or for all users:
-- ALTER PROFILE DEFAULT LIMIT PASSWORD_VERIFY_FUNCTION ora12c_verify_function;
4
Note: Oracle's built-in `PASSWORD_VERIFY_FUNCTION` (like `ora12c_verify_function`) provides basic complexity checks. For more advanced checks, such as preventing specific substrings like the server name, you might need to develop a custom PL/SQL function and register it with `PASSWORD_VERIFY_FUNCTION` in the profile.