Oracle Error ORA-28211: Password Complexity Violated

📦 Oracle Database

📋

Description

The ORA-28211 error occurs in Oracle Database when a user attempts to change their password, but the new password does not meet the minimum difference requirement from the old password, as defined by the database administrator. This security measure ensures password complexity and reduces the risk of unauthorized access.

💬

Error Message

new password should differ from the old password by string or more characters

🔍

Known Causes

3 known causes

⚠️

Insufficient Password Change

The new password is too similar to the old password; it does not meet the minimum number of different characters required.

⚠️

Administrator Policy Violation

The password change does not adhere to the password complexity rules set by the database administrator.

⚠️

Incorrect Password Policy

The user is unaware of the current password policy regarding the minimum number of changed characters.

🛠️

Solutions

3 solutions available

1. Change Password to a Significantly Different One easy

The most direct solution is to provide a new password that has a substantial difference from the old one.

When prompted to change your password (e.g., during a login attempt or via a `ALTER USER` command), enter a new password that is clearly distinct from your previous password. Oracle's default complexity rules often require a minimum number of character differences. Aim for a password that has at least 3-4 character changes in different positions.

ALTER USER username IDENTIFIED BY new_complex_password;

If you are changing the password via a GUI tool like SQL Developer, the tool will typically have a dedicated field for the new password. Enter a robust and different password there.

2. Review and Adjust Password Complexity Rules (DBA Task) advanced

As a DBA, you can modify the password complexity rules to allow for less stringent requirements or to exclude specific users.

Connect to the Oracle database as a user with DBA privileges (e.g., SYS or SYSTEM).

sqlplus sys as sysdba

Check the current password complexity profile. The default profile is usually `DEFAULT`.

SELECT * FROM dba_profiles WHERE profile = 'DEFAULT' AND resource_name = 'PASSWORD_VERIFY_FUNCTION';

If the `PASSWORD_VERIFY_FUNCTION` is set to a custom function (e.g., `ORA12C_VERIFY_FUNCTION` or a user-defined one), you'll need to investigate that function's logic. If it's a built-in function, the `PASSWORD_VERIFY_FUNCTION` parameter itself might be set to `NULL` or a simpler function.

SELECT profile, resource_name, resource_limit FROM dba_profiles WHERE profile = 'DEFAULT' AND resource_name LIKE 'PASSWORD%';

To temporarily relax the rules for all users under the `DEFAULT` profile (use with extreme caution in production), you can set the `PASSWORD_VERIFY_FUNCTION` to `NULL`. This effectively disables complexity checks.

ALTER PROFILE DEFAULT LIMIT PASSWORD_VERIFY_FUNCTION NULL;

Alternatively, create a new profile with less strict rules and assign it to the user.

CREATE PROFILE limited_complexity LIMIT PASSWORD_VERIFY_FUNCTION NULL;
ALTER USER username PROFILE limited_complexity;

After making changes, instruct the affected user to attempt changing their password again with a new, sufficiently different password.

3. Utilize a Password Generation Tool easy

Employ a password generator to create a strong and distinct password that will satisfy the complexity requirements.

Use a reputable password generation tool (online or offline). Configure it to generate a password of sufficient length (e.g., 12+ characters) and complexity (mix of uppercase, lowercase, numbers, and symbols).

Example generated password: `P@$$wOrd_123!` (Ensure this is significantly different from your old password).

When prompted to change your password, copy and paste the generated password into the new password field. Ensure no leading/trailing spaces are copied.

ALTER USER username IDENTIFIED BY 'P@$$wOrd_123!';