Error
Error Code: ORA-28215

Oracle Error ORA-28215: Password Weak

📦 Oracle Database
📋

Description

The ORA-28215 error occurs in Oracle Database when a user attempts to set or change a password that does not meet the database's password complexity requirements. Specifically, the password lacks the required number of lowercase alphabetic characters.
💬

Error Message

password must contain number or more lowercase characters
🔍

Known Causes

3 known causes
⚠️
Insufficient Lowercase Characters
The password provided does not contain the minimum required number of lowercase alphabetic characters as defined by the database's password policy.
⚠️
Password Policy Enforcement
The database's password policy, enforced through profiles or password management tools, requires a certain level of complexity, including lowercase letters.
⚠️
Default Password Settings
The default password settings of the database may require a minimum number of lowercase characters in the password.
🛠️

Solutions

3 solutions available

1. Change Password to Comply with Policy easy

Immediately change the user's password to meet the current complexity requirements.

1
Connect to the Oracle database as a user with `ALTER USER` privilege (e.g., `SYS` or `SYSTEM`).
sqlplus sys as sysdba
2
Execute the `ALTER USER` command to change the password for the affected user. Ensure the new password contains at least one number or more lowercase characters.
ALTER USER username IDENTIFIED BY "NewStrongPassword1";
3
Replace `username` with the actual username and `"NewStrongPassword1"` with your desired strong password that meets the criteria.

2. Temporarily Disable Password Complexity for a User medium

Bypass password complexity rules for a specific user if immediate compliance is not feasible.

1
Connect to the Oracle database as `SYS` or `SYSTEM`.
sqlplus sys as sysdba
2
Set the `FAILED_LOGIN_ATTEMPTS` and `PASSWORD_VERIFY_FUNCTION` for the user to allow a weaker password temporarily. The `NULL` value for `PASSWORD_VERIFY_FUNCTION` disables complexity checks.
ALTER USER username FAILED_LOGIN_ATTEMPTS UNLIMITED PASSWORD_VERIFY_FUNCTION NULL;
3
Replace `username` with the affected user's name.
ALTER USER username IDENTIFIED BY "weakpassword";
4
After successfully changing the password, re-enable the password complexity by setting a valid `PASSWORD_VERIFY_FUNCTION` (e.g., `verify_function` which is the default) or a custom one.
ALTER USER username PASSWORD_VERIFY_FUNCTION verify_function;

3. Modify Database-Wide Password Complexity Policy advanced

Adjust the global password complexity rules for all users if the current policy is too restrictive or not aligned with organizational needs.

1
Connect to the Oracle database as `SYS` or `SYSTEM`.
sqlplus sys as sysdba
2
View the current password complexity profile.
SELECT * FROM dba_profiles WHERE profile = 'DEFAULT' AND resource_name LIKE '%PASSWORD%';
3
To modify the `DEFAULT` profile to be less strict (e.g., remove the requirement for numbers or lowercase characters), you can alter the profile. *Caution: This affects all users using the DEFAULT profile.*
ALTER PROFILE DEFAULT LIMIT
    PASSWORD_LIFE_TIME UNLIMITED
    PASSWORD_REUSE_TIME UNLIMITED
    PASSWORD_REUSE_MAX UNLIMITED
    PASSWORD_VERIFY_FUNCTION NULL  -- This effectively disables complexity checks
    FAILED_LOGIN_ATTEMPTS 5
    PASSWORD_LOCK_TIME 1;
4
Alternatively, if you want to keep complexity but make it more flexible, you might need to create a custom `PASSWORD_VERIFY_FUNCTION` or adjust parameters of an existing one. This is a more complex task. For example, to allow passwords with at least one number OR at least one lowercase character, you'd typically rely on the default `verify_function` or a custom one. If the default is causing issues, investigate its implementation.
/* Example of altering a profile to potentially loosen rules, though the specific 'number or more lowercase' is often controlled by the verify function itself. */
-- This example shows how to alter the profile, but the core of the 'ORA-28215' is often in the verify_function.
-- You might need to explore creating or modifying a password verify function for fine-grained control.
-- For a quick fix, setting PASSWORD_VERIFY_FUNCTION to NULL is the most direct way to disable checks.

-- To re-enable complexity with a standard function (if you previously set it to NULL):
-- ALTER PROFILE DEFAULT LIMIT PASSWORD_VERIFY_FUNCTION verify_function;
5
After modifying the profile, users will be able to set passwords that comply with the new rules. You might still need to prompt users to change their passwords if they were previously locked out due to the ORA-28215 error.