Oracle has back-ported “Gradual Database Password Rollover” security feature that was initially introduced in Oracle 21c to Oracle 19c with July 2021 RU (Release Update- 19.12) and there is no need to change the compatibility parameter.
Reference link: https://docs.oracle.com/en/database/oracle/oracle-database/19/dbseg/release-changes.html#GUID-FDE1D67B-1766-48E1-89EE-7F8505A4EF83
This great new feature is very much needed and great addition from Oracle (Thank You Oracle)….if there is a need to change passwords for critical applications/systems this will require application shutdown first then updating the “new” password in multiple places of the application….with this new feature you can change the password without the need of application outage/downtime and there will be NO Locking of the account taking place as both old & new passwords will be authenticated successfully by the database until rollover period is finished.
T Explore it I will create a new profile called “DEFAULT2” with parameter PASSWORD_ROLLOVER_TIME set to 1 day:
CREATE PROFILE DEFAULT2
SQL> CREATE USER emad1 IDENTIFIED BY EMAD_first_prm221d
DEFAULT TABLESPACE “USERS”
TEMPORARY TABLESPACE “TEMP”;
SQL> grant create session to emad1 ;
SQL> select username,account_status,profile,authentication_type from dba_users where username=’EMAD1′;
Now, I will change the password to a different value:
SQL> alter user emad1 identified by EMAD_first_prm33zd;
If you query the dba_users view, you find that account_status is now changed from “OPEN” to “OPEN & IN ROLLOVER”
NOTE: What will happen if you change the password again, in this case Only the first password and the third one will authenticate successfully….so if you change the password multiple times only 2 passwords are valid for authentication (the first initial password, and the last password reset).
Another side note…. that maximum number of days allowed for the value of the parameter “PASSWORD_ROLLOVER_TIME” is 60 (which is 60 days), and minimum value is 1 hour.
To forcefully end the rollover period you can execute the following SQL command:
SQL> alter user emad1 expire password rollover period;
Checking SYS.USER$ table, you will see the value of ASTATUS column changed from “32” to “0” , zero is the value after the rollover period is finished. So the value of “32” indicates that the database account is in the “rollover” phase.