Pete Finnigan's Oracle Security Weblog

I saw a post entitled Special characters in Oracle password to the ORACLE-L list today. The poster was asking which special characters can be used in an Oracle password and he said he had a problem when using them in an ALTER USER statement but not when using a CREATE USER statement. The exact problem he was having was not given (so far).

The characters that can be used for a password without enclosing it in quotes are the same as any normal Oracle identifier. I wanted to share the answer i posted today to ORACLE-L here as i think its useful to those who are not sure about which characters can be used in Oracle passwords.

First here is my post to ORACLE-L:

~~~~post~~~~~
Hi,

If the password is not enclosed in quotes then it can include any
letter, any digit, "_", "#" or "$" characters. Only a letter can be used
in the first character, the other characters can be used after that. If
on the other hand you enclose the password in quotes then you can use
any character in any position. Lets see some examples:

Connected to:
Personal Oracle9i Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production

SQL>
SQL> connect sys/a@sans as sysdba
Connected.
SQL> -- create a user with the valid character set
SQL> create user test01 identified by abc123_$#;

User created.

SQL> -- change his password again with the valid character set
SQL> alter user test01 identified by abc456#_$;

User altered.

SQL> -- try and create a user with a password that does not start
SQL> -- with a letter
SQL> create user test02 identified by 123abc#_$;
create user test02 identified by 123abc#_$
*
ERROR at line 1:
ORA-00988: missing or invalid password(s)


SQL> -- It fails as you should only be able to create a user with
SQL> -- a password starting with a letter
SQL> -- now try with a password starting with one of the three
SQL> -- special characters.
SQL> create user test02 identified by _123abc;
create user test02 identified by _123abc
*
ERROR at line 1:
ORA-00911: invalid character


SQL> -- another failure, this time an invalid character. Now try and
SQL> -- create a user with special characters but not valid ones.
SQL> create user test02 identified by abc123^*;
create user test02 identified by abc123^*
*
ERROR at line 1:
ORA-00922: missing or invalid option


SQL> -- OK, fails again as expected but this time a different error
SQL> -- message. Next try and create a user with any special characters
SQL> -- but this time enclosed in quotes. This should work.
SQL> create user test02 identified by "^*abc£";

User created.

SQL> -- it works as expected. Now try an alter user again with any
SQL> -- special characters.
SQL> alter user test02 identified by "%$ghj^";

User altered.

SQL> -- again it works as expected.

The above examples show that you can use letters, digits and _#$ without
quotes and any character with quotes both for create statements and also
for alter user statements. It is also possible to use control characters
in passwords to make it difficult to use the password on the command
line such as carriage returns.

Kind regards

Pete

~~~~post~~~~~

The characters that can be used as part of an Oracle password are just one part or choosing strong Oracle passwords. A good password should not be a dictionary word or the same as the username or even usernameXX where XX is a number 01, 02 etc. Also the password should include digits and special characters where possible. It is important to remember that Oracle passwords are not case sensitive so the valid alphabet is reduced by 26 characters. That is "a" is the same as "A" in Oracle passwords. It is good to try and use passwords encased in quotes so that the character set is increased. This makes brute force attacks harder to accomplish especially if non ASCII letters and digits are used. Finally remember to use the password management features added since Oracle 8 and also use a password verification function to help enforce strong passwords.