Mark BurgessHow many critical applications in your organisation are still using Oracle database passwords that haven’t been changed in 2+ years? For many IT leaders, the answer is uncomfortable.
With compliance frameworks like SOX, PCI DSS, and emerging data protection regulations tightening their grip, unchanged database passwords represent a ticking time bomb. Recent breach statistics show that compromised credentials remain one of the top attack vectors, yet Oracle database application account passwords often sit untouched for years or remain at dangerous default values.
The Familiar Excuse Cycle
When it comes to changing Oracle database application account passwords, how many times have you heard some combination of “it’s too hard/can’t be done/not sure of the impact/vendor silence or non-response”? These responses have become so routine that many organisations have simply accepted the risk rather than face potential downtime or application failures.
The reality is that traditional password changes for database application accounts have been high-risk, all-or-nothing events. Change the password, update every connection string and configuration file simultaneously, and hope nothing breaks. Miss one connection point, and critical applications go offline, along with the cause being an absolute nightmare to diagnose.
Oracle Provides a Path Forward
Fortunately, Oracle has addressed this challenge with a feature that changes the game entirely. Gradual password rollover, introduced in Oracle 21c and backported to Oracle 19c (19.12 and above), allows both the old and new passwords to work simultaneously during a transition period.
Here’s how it works: instead of an immediate cutover, you can activate the new password while keeping the old one functional. This gives you time to methodically update applications, test connections, identify old password connection sources, and verify everything works before decommissioning the old password. It transforms a high-risk big bang change into a controlled, reversible process.
Implementation Requirements
Before implementing gradual password rollover, ensure your Oracle database is running 19.12+, Oracle 21c or 23ai. The feature works with most connection methods, though you’ll want to test with your specific application stack. The rollover period is configurable up to 60 days, giving you the flexibility to extend or shorten the transition window based on your operational needs.
Ready to Get Started?
This feature can be enabled using the following example for a 30 day rollover period:
alter profile EBS_APPS limit PASSWORD_ROLLOVER_TIME 30;To check what client connections are still using the old password:
SELECT DBUSERNAME, AUTHENTICATION_TYPE, OS_USERNAME, USERHOST, EVENT_TIMESTAMP
FROM UNIFIED_AUDIT_TRAIL
WHERE ACTION_NAME='LOGON' AND EVENT_TIMESTAMP > SYSDATE-1
AND REGEXP_LIKE(AUTHENTICATION_TYPE, '(VERIFIER=.*?-OLD)');The days of accepting password security risks due to operational complexity are over. Oracle provides a robust solution that eliminates the traditional barriers to regular password rotation.
