11g New Features - Case-sensitive passwords

Probably a long overdue feature...though one could have implemented the

same using password verify function in earlier releases but it was
necessitated to be in compliance with industry wide Data security standards.
Starting 11g case sensitive passwords automatically enforced.

Here is how to implement case-sensitive passwords feature:

SQL> create user GJILVSKI identified by GJILVSKI;

User created.

SQL> grant create session to GJILVSKI;

Grant succeeded.

SQL> connect GJILVSKI/gjilevski@db11g

ERROR:
ORA-01017: invalid username/password; logon denied

Warning: You are no longer connected to ORACLE.

SQL> connect GJILVSKI/GJILVSKI@db11g
Connected.
SQL>

See the difference - since the user was created with an upper case
password, it did not allow lower case password while connecting to
"GJILVSKI". Had it been 10g, you would easily get connected. So now,
"GJILVSKI", "gjilevski" and "GJilevski" are different passwords.

However, Oracle has also provided an initialization parameter to disable

case-sensitive passwords i.e. going back to old way of 10g and prior
versions.

SQL> show parameter SEC_CASE_SENSITIVE_LOGON

NAME TYPE VALUE

------------------------------------ ----------- ---------
sec_case_sensitive_logon boolean TRUE

SQL> ALTER SYSTEM set SEC_CASE_SENSITIVE_LOGON=FALSE scope=both;

System altered.

SQL> show parameter SEC_CASE_SENSITIVE_LOGON

NAME TYPE VALUE

------------------------------------ ----------- ------------------------------
sec_case_sensitive_logon boolean FALSE

And now see the difference...

SQL> conn GJILVSKI/gjilevski@db11g

Connected.

SQL> conn GJILVSKI/GJILVSKI@db11g

Connected.
SQL>

So it would connect irrespective of case. A new column

"PASSWORD_VERSIONS" has been added to "DBA_USERS" view to indicate
database version in which the password was created or changed.

SQL> select username,PASSWORD_VERSIONS from dba_users;

USERNAME PASSWORD
------------------------------ --------
.....
SCOTT 10G 11G
GJILVSKI 10G 11G

According to the documentation if a database was migrated from 10g then it

would have both "10G", "11G" in it.

One can also enforce case-sensitive passwords for SYSDBA users. Use
"ignorecase" argument while creating password files using "ORAPWD" utility.
Default values for "ignorecase" is "n", and you can set it to "y" to enable
case-sensitive passwords.

e.g. $orapwd file=orapw entries=5 ignorecase=y

So if you plan to upgrade to 11g then make sure you change passwords to
adhere to case-sensitivity and ensure that you change your scripts which
have inconsistent password cases too.

Reference : Oracle® Database Security Guide 11g Release 1 (11.1) Part

Number B28531-04