Oracle has back-ported “Gradual Database Password Rollover” security feature that was initially introduced in Oracle 21c to Oracle 19c with July 2021 RU (Release Update- 19.12) and there is no need to change the compatibility parameter.

Reference link: https://docs.oracle.com/en/database/oracle/oracle-database/19/dbseg/release-changes.html#GUID-FDE1D67B-1766-48E1-89EE-7F8505A4EF83

This great new feature is very much needed and great addition from Oracle (Thank You Oracle)….if there is a need to change passwords for critical applications/systems this will require application shutdown first then updating the “new” password in multiple places of the application….with this new feature you can change the password without the need of application outage/downtime and there will be NO Locking of the account taking place as both old & new passwords will be authenticated successfully by the database until rollover period is finished.

T Explore it I will create a new profile called “DEFAULT2” with parameter PASSWORD_ROLLOVER_TIME set to 1 day:

CREATE  PROFILE DEFAULT2

LIMIT

    COMPOSITE_LIMIT UNLIMITED

    SESSIONS_PER_USER UNLIMITED

    CPU_PER_SESSION UNLIMITED

    CPU_PER_CALL UNLIMITED

    LOGICAL_READS_PER_SESSION UNLIMITED

    LOGICAL_READS_PER_CALL UNLIMITED

    IDLE_TIME UNLIMITED

    CONNECT_TIME UNLIMITED

    PRIVATE_SGA UNLIMITED

    FAILED_LOGIN_ATTEMPTS 5

    PASSWORD_LIFE_TIME 360

    PASSWORD_REUSE_TIME 1

    PASSWORD_REUSE_MAX 4

    PASSWORD_VERIFY_FUNCTION ORA12C_STIG_VERIFY_FUNCTION

    PASSWORD_LOCK_TIME 1

    PASSWORD_GRACE_TIME 30

    PASSWORD_ROLLOVER_TIME 1;

  SQL> CREATE USER emad1 IDENTIFIED BY EMAD_first_prm221d

     PROFILE DEFAULT2

      DEFAULT TABLESPACE “USERS”

      TEMPORARY TABLESPACE “TEMP”;

SQL> grant create session to emad1 ;

SQL> select username,account_status,profile,authentication_type  from dba_users where username=’EMAD1′;

Now, I will change the password to a different value:

SQL> alter user emad1 identified by EMAD_first_prm33zd;

If you query the dba_users view, you find that account_status is now changed from “OPEN” to “OPEN & IN ROLLOVER”

NOTE: What will happen if you change the password again, in this case Only the first password and the third one will authenticate successfully….so if you change the password multiple times only 2 passwords are valid for authentication (the first initial password, and the last password reset).

Another side note…. that maximum number of days allowed for the value of the parameter “PASSWORD_ROLLOVER_TIME” is 60 (which is 60 days), and minimum value is 1 hour.

To forcefully end the rollover period you can execute the following SQL command:

SQL> alter user emad1 expire password rollover period;

Checking SYS.USER$ table, you will see the value of ASTATUS column changed from “32” to “0” , zero is the value after the rollover period is finished. So the value of “32” indicates that the database account is in the “rollover” phase.