Error
Error Code: ORA-28219

Oracle Error ORA-28219: Password Complexity Failure

📦 Oracle Database
📋

Description

The ORA-28219 error indicates that a user's attempted password change failed because the new password does not meet the password complexity rules defined in the mandatory profile. This typically occurs during user account management or password resets.
💬

Error Message

password verification failed for mandatory profile
🔍

Known Causes

3 known causes
⚠️
Complexity Requirements Not Met
The new password doesn't satisfy the minimum length, character type (uppercase, lowercase, digits, special characters) or complexity rules defined by the profile.
⚠️
Password History Violation
The new password is too similar to a recently used password, violating the password history policy.
⚠️
Dictionary Word Used
The password contains a dictionary word or a common variation of one, which is prohibited by the profile.
🛠️

Solutions

3 solutions available

1. Update Password to Meet Profile Requirements easy

Change the user's password to satisfy the complexity rules defined in the mandatory profile.

1
Connect to the Oracle database as the user experiencing the error or as a DBA with sufficient privileges.
2
Attempt to change the password using the `ALTER USER` statement. Ensure the new password adheres to the complexity rules of the mandatory profile (e.g., length, character types).
ALTER USER username IDENTIFIED BY new_strong_password;
3
If you are unsure of the profile's complexity rules, a DBA can query the `DBA_PROFILES` view.
SELECT profile, resource_name, limit FROM dba_profiles WHERE profile = (SELECT profile FROM dba_users WHERE username = 'USERNAME_OF_THE_USER');

2. Temporarily Modify the Mandatory Profile medium

Adjust the password complexity settings of the mandatory profile to allow the user to set their password.

1
Connect to the Oracle database as a DBA with `ALTER PROFILE` privileges.
2
Identify the mandatory profile associated with the user. This is typically `DEFAULT` or a custom profile assigned to the user.
SELECT username, profile FROM dba_users WHERE username = 'USERNAME_OF_THE_USER';
3
Modify the password complexity parameters of the identified profile. For example, to disable password complexity checks temporarily:
ALTER PROFILE profile_name LIMIT FAILED_LOGIN_ATTEMPTS UNLIMITED;
ALTER PROFILE profile_name LIMIT PASSWORD_LIFE_TIME UNLIMITED;
ALTER PROFILE profile_name LIMIT PASSWORD_REUSE_TIME UNLIMITED;
ALTER PROFILE profile_name LIMIT PASSWORD_REUSE_MAX UNLIMITED;
ALTER PROFILE profile_name LIMIT PASSWORD_VERIFY_FUNCTION NULL;
-- Note: Setting PASSWORD_VERIFY_FUNCTION to NULL is a significant security reduction and should only be done temporarily.
4
Have the user change their password to something simple.
ALTER USER username IDENTIFIED BY simple_password;
5
Revert the profile changes to enforce security policies again.
ALTER PROFILE profile_name LIMIT PASSWORD_VERIFY_FUNCTION ora12c_verify_function; -- Or the original function name

3. Assign a Different Profile to the User medium

Change the user's profile to one that has less stringent password complexity requirements.

1
Connect to the Oracle database as a DBA with `ALTER USER` privileges.
2
Identify existing profiles that meet the user's needs or create a new profile with acceptable complexity settings.
SELECT profile FROM dba_profiles WHERE resource_type = 'PASSWORD'; -- To see password-related profiles
3
Assign a new profile to the user.
ALTER USER username PROFILE new_profile_name;
4
Have the user change their password.
ALTER USER username IDENTIFIED BY new_password;