Information
No password versions (hashes) prior to 12c should be allowed for user authentication.
Oracle 12c and later versions enforce stronger password hashing algorithms and complexity policies, enhancing security. Older password versions (pre-12c) are considered weak and do not meet modern security standards.Using outdated password versions increases the risk of password compromise.
Solution
Follow the process "Finding and Resetting User Passwords That Use the 10G Password Version" as outlined in the Oracle Database Upgrade Guide to reset affected user passwords and enforce 12c password versioning.
- Identify users with old password versions.
- Ensure that SQLNET.ALLOWED_LOGON_VERSION_SERVER is set to 12
- Reset their passwords using the ALTER USER command.
Impact:
Resetting user passwords without proper migration planning may result in application downtime or loss of access.
Users with passwords hashed in an older format will be required to reset their passwords. Limiting authentication to 12c password versions may impact connectivity from older clients that rely on deprecated authentication mechanisms. Applications using pre-12c authentication methods must be updated to support 12c or later password hashing mechanisms.