Password File

Main Points in this section

• What is the purpose of password file

• Connecting as sys
• What is the default location of password file
• How to create a password file
• Deleting password file
• How to add users in password file
• What is REMOTE_LOGIN_PASSWORD_FILE parameter
What is the purpose of password file

If the DBA wants to start up an Oracle instance there must

be a way for Oracle to authenticate this DBA. That is if
(s)he is allowed to do so. Obviously, his password can not
be stored in the database, because Oracle can not access
the database before the instance is started up. Therefore,
the authentication of the DBA must happen outside of the
database. There are two distinct mechanisms to authenticate
the DBA: using the password file or through the operating
system.

The init parameter remote_login_passwordfile specifies if a

password file is used to authenticate the DBA or not. If it
set either to shared or exclusive a password file will be
used.

Connecting as sys

A user who belongs to the "dba" group on Unix, or the

"ORA_DBA" (ORA_sid_DBA) group on Windows can connect
without password.

• Sqlplus “/ as sysdba”
password file not needed.

If a user does not belong to dba UNIX group, password is

required

• Sqlplus “shekhar/password as sysdba”
password file

needed

What is the default location of password file

The default location for the password file is:
$ORACLE_HOME/dbs/orapw$ORACLE_SID on Unix and
%ORACLE_HOME%\database\PWD%ORACLE_SID%.ora on Windows.

How to create a password file

orapwd file=password_file_name password=the_secret_password

entries=n

n specifies the maximum number of distinct DBAs and OPERs

that can be stored in the password file.

Deleting password file

If password file authentication is no longer needed, the

password file can be deleted and the init parameter
remote_login_passwordfile set to none.

REMOTE_LOGIN_PASSWORDFILE
remote_login_passwordfile specifies if Oracle checks for a
password file and if this password file is shared among
databases.
The following values are possible:

• none
Oracle ignores the password file if it exists.
• exclusive
Password file is exclusively used by one database.
Any user can be added to the password file.
 • shared
The password file is shared among databases.

How to add users in password file

SYS@ora10> show user;

USER is "SYS"
SYS@ora10> select * from v$pwfile_users;

USERNAME SYSDB SYSOP

------------------------------ ----- -----
SYS TRUE TRUE

SYS@ora10> grant SYSDBA to rene;

Grant succeeded.

SYS@ora10> select * from v$pwfile_users;

USERNAME SYSDB SYSOP

------------------------------ ----- -----
SYS TRUE TRUE
RENE TRUE FALSE

SYS@ora10> grant SYSOPER to rene;

Grant succeeded.

SYS@ora10> select * from v$pwfile_users;

USERNAME SYSDB SYSOP

------------------------------ ----- -----
SYS TRUE TRUE
RENE TRUE TRUE

SYS@ora10> revoke SYSDBA from rene;

Revoke succeeded.

SYS@ora10> select * from v$pwfile_users;

USERNAME SYSDB SYSOP

------------------------------ ----- -----
SYS TRUE TRUE
RENE FALSE TRUE

SYS@ora10> revoke SYSOPER from rene;

Revoke succeeded.
SYS@ora10> select * from v$pwfile_users;

USERNAME SYSDB SYSOP

------------------------------ ----- -----
SYS TRUE TRUE
Can one switch to another database user without a password?

Users normally use the "CONNECT" statement to connect from

one database user to another. However, DBAs can switch from
one user to another without a password.

SQL> CONNECT / as sysdba

Connected.

SQL> SELECT password FROM dba_users WHERE username='SCOTT';

PASSWORD

--------------- ---------------

F894844C34402B67

SQL> ALTER USER scott IDENTIFIED BY anything;

User altered.

SQL> CONNECT scott/anything

Connected.

OK, we're in. Let's quickly change the password back before anybody
notices.

SQL> ALTER USER scott IDENTIFIED BY VALUES 'F894844C34402B67';

User altered.