Oracle 12 set user password Expiration date or EXPIRED(Grace)

oraclepassword

Is it possible to set a future expiration date on a user account in Oracle? Or to set a account status to EXPIRE(GRACE)

We want to implement a more strict password policy, and I've created the new Profile, but would like to use Oracle's password grace period function to warn users (instead of just running a script to immediately expire the user accounts).

(In short, yes I can and will send out an email telling everyone their password will expire in 10 days, but I'd rather have Oracle tell them when they log in so they can't deny seeing the warning)

I don't see an option for ALTER USER... for expiration dates.

Also when I added some users to the new profile (which has a 90 day Password Life Time and a 30 day Password Grace Time for some reason it automatically set their expiration date to 51 days and 6 hours from now, which I thought was rather odd.

Best Answer

You have to use a profile and a combination of password_life_time and password_grace_time; Lifetime will set the expiry time of password and grace_time will warn them (after expiry) as you'd expect. All you then need to do is assign the profile to user or users (using alter user).

A quick demo?

SQL> set echo on
SQL> drop user testa cascade;
User TESTA dropped.
SQL> create user testa identified by testa;
User TESTA created.
SQL> grant create session to testa;
Grant succeeded.
SQL> prompt this connection should be successful as there is no profile attached.
this connection should be successful as there is no profile attached.
SQL> conn testa/testa
Connected.
SQL> connect as a dba user
Connected.
SQL> drop profile test_profile;
Profile TEST_PROFILE dropped.
SQL> -- using profile i am setting password to expire in about 10 seconds useful for our testing 
SQL> -- 0.0001158 is about 10 (10/86400)
SQL> -- grace time is set to 1 day
SQL> create profile test_profile limit password_life_time 0.0001158 password_grace_time 1;
Profile TEST_PROFILE created.
SQL> -- now you assign the profile to the user who should get warning .
SQL> alter user testa profile test_profile;
User TESTA altered.
SQL> exec dbms_lock.sleep(20);
PL/SQL procedure successfully completed.
SQL> prompt this connection should show a warning 
this connection should show a warning
SQL> conn testa/testa
ERROR:
ORA-28002: the password will expire within 1 days
Connected.
SQL> select account_status ,expiry_date, PROFILE, sysdate from user_users;
ACCOUNT_STATUS   EXPIRY_DATE         PROFILE        SYSDATE            
---------------- ------------------- -------------- -------------------
EXPIRED(GRACE)   03/21/2017 14:56:00 TEST_PROFILE   03/20/2017 14:56:00

Related Solutions

Oracle11g password expiry issue

According to the Oracle documentation here (see heading Setting the PASSWORD_LIFE_TIME Profile Parameter to a Low Value) the account status is changed from OPEN to EXPIRED(GRACE) if the user is currently logged in when you change PASSWORD_LIFE_TIME to a low value. I guess you were logged in as system when you changed the PASSWORD_LIFE_TIME. Try logging in as CUSUSER and then changing it.

The following method will set a user's account status to EXPIRED(GRACE):

create profile EXPTESTPROF limit
failed_login_attempts             1
password_life_time                1/24/60/60
password_reuse_time               unlimited
password_reuse_max                1
password_verify_function          null
password_lock_time                1
password_grace_time               1;

create user EXPTEST identified by EXPTEST;

alter user EXPTEST profile EXPTESTPROF;

grant "CONNECT" to EXPTEST;

Then login as EXPTEST. You'll get the message that the password will expire within 1 day. If you check the ACCOUNT_STATUS now it should say EXPIRED(GRACE):

select ACCOUNT_STATUS
  from DBA_USERS
 where USERNAME = 'EXPTEST'

Oracle: Can a user log in without a password

Possible solutions:

Use a Secure External Password Store (Oracle Wallet): http://docs.oracle.com/database/121/DBSEG/authentication.htm#CHDHGAIJ

You can use the stored credentials without specifying a username or password. Connection string: /@orcl.

REMOTE_OS_AUTHENT: http://docs.oracle.com/cd/E18283_01/server.112/e17110/initparams208.htm

Not recommended, insecure, mentioned just for completeness, do not use it.

Kerberos Authentication: http://docs.oracle.com/database/121/DBSEG/asokerb.htm

You can use your directory credentials for logging in without specifying your username or password. Connection string: /@orcl.

SSL Authentication: http://docs.oracle.com/database/121/DBSEG/asossl.htm

You own a certificate and you will be authenticated by that, without specifying a username or password. Connection string: /@orcl.

Operating system authentication based on group membership. Works only locally, and for privileged users. Connection string: / as sysdba, / as sysoper, / as sysbackup, / as sysdg, / as syskb.

Best Answer

Related Solutions

Oracle11g password expiry issue

Oracle: Can a user log in without a password

Related Question