Home » RDBMS Server » Security » ORA-28007: the password cannot be reused
ORA-28007: the password cannot be reused [message #48983] Thu, 06 January 2005 01:07 Go to next message
Safeeq
Messages: 21
Registered: September 2004
Junior Member
When User Logon to the application (web based) then
we need to check password life time, validation etc.

Then when user changing their passwords thay can reuse the old passwords with certain conditions,
i.e "Except last three changed passwords can be used"
I checked oracle website, in that "Password Management" only achieved by Creating User Profile for a particular user.
But i cant reuse the passwords.

No of Cycles Passwords for DB
Cycle 1 -> ubs1
Cycle 2 -> ubs2
Cycle 3 -> ubs3
Cycle 4 -> ubs4

After 4th Cycle i want to use "ubs1". Last 3 cycles i dont want use. But when i tried it doesnt work.
Cycle 5 -> ubs1 => gives error ORA-28007: the password cannot be reused.

The relevant script is also given below:-
SQL> show user
USER is "UBSUAT"
SQL>
SQL> CREATE PROFILE user_logon_profile LIMIT
2 password_reuse_time UNLIMITED
3 password_reuse_max 3;

Profile created.

SQL> alter user ubsuat profile user_logon_profile;

User altered.

SQL> alter user ubsuat identified by ubs1;

User altered.

SQL> alter user ubsuat identified by ubs2;

User altered.

SQL> alter user ubsuat identified by ubs3;

User altered.

SQL> alter user ubsuat identified by ubs4;

User altered.

SQL> alter user ubsuat identified by ubs1;
alter user ubsuat identified by ubs1
*
ERROR at line 1:
ORA-28007: the password cannot be reused

SQL> alter user ubsuat identified by ubs2;
alter user ubsuat identified by ubs2
*
ERROR at line 1:
ORA-28007: the password cannot be reused

SQL> alter user ubsuat identified by ubs5;

User altered.

SQL> alter user ubsuat identified by ubs1;
alter user ubsuat identified by ubs1
*
ERROR at line 1:
ORA-28007: the password cannot be reused

SQL> select * from dba_profiles where profile='USER_LOGON_PROFILE';

PROFILE RESOURCE_NAME RESOURCE LIMIT
------------------------------ -------------------------------- -------- ----------------------------------------
USER_LOGON_PROFILE COMPOSITE_LIMIT KERNEL DEFAULT
USER_LOGON_PROFILE SESSIONS_PER_USER KERNEL DEFAULT
USER_LOGON_PROFILE CPU_PER_SESSION KERNEL DEFAULT
USER_LOGON_PROFILE CPU_PER_CALL KERNEL DEFAULT
USER_LOGON_PROFILE LOGICAL_READS_PER_SESSION KERNEL DEFAULT
USER_LOGON_PROFILE LOGICAL_READS_PER_CALL KERNEL DEFAULT
USER_LOGON_PROFILE IDLE_TIME KERNEL DEFAULT
USER_LOGON_PROFILE CONNECT_TIME KERNEL DEFAULT
USER_LOGON_PROFILE PRIVATE_SGA KERNEL DEFAULT
USER_LOGON_PROFILE FAILED_LOGIN_ATTEMPTS PASSWORD DEFAULT
USER_LOGON_PROFILE PASSWORD_LIFE_TIME PASSWORD DEFAULT

PROFILE RESOURCE_NAME RESOURCE LIMIT
------------------------------ -------------------------------- -------- ----------------------------------------
USER_LOGON_PROFILE PASSWORD_REUSE_TIME PASSWORD UNLIMITED
USER_LOGON_PROFILE PASSWORD_REUSE_MAX PASSWORD 3
USER_LOGON_PROFILE PASSWORD_VERIFY_FUNCTION PASSWORD DEFAULT
USER_LOGON_PROFILE PASSWORD_LOCK_TIME PASSWORD DEFAULT
USER_LOGON_PROFILE PASSWORD_GRACE_TIME PASSWORD DEFAULT

16 rows selected.

Please could anyone tell me why im not able to change the password even after the fourth cycle?.
Re: ORA-28007: the password cannot be reused [message #49000 is a reply to message #48983] Thu, 06 January 2005 12:56 Go to previous message
Barbara Boehmer
Messages: 9077
Registered: November 2002
Location: California, USA
Senior Member
What version of Oracle are you using? Prior to 8.1.6 there were bugs in the alter user command and prior to 10g there were documentation bugs regarding password_reuse_time and password_reuse_max. According to the new 10g documentation, if only one of those two is set to unlimited, then the password can never be re-used. In Oracle 10g, you can set password_reuse_time to a fraction of a day, but Oracle 9i seems to only accept integers. So, prior to 10g, about the best you can do is to set password_resuse_time to 1 day and password_resuse_max to 3 changes. So, that would allow the user to re-use a password only after both conditions have been met, in other words after one day has passed and the password has been changed three times. Here is a link to the new 10g documentation on the subject:



If you have access to Metalink, you can also see Metalink support note 228991.1.
Previous Topic: Creating a new user and grant dba
Next Topic: user account can't access dba_data_files
Goto Forum:
  


Current Time: Fri Mar 29 05:10:59 CDT 2024