Oracle ORAPWD Utility
Versions: All

Security Advisory
ORAPWD, the Oracle Database password utility is used to create password files for remote authentication. The file is used to SQL*Net authenticate users connecting with userids related to a small number of default escalated privilege accounts which are SYSDBA, SYSBACKUP, SYSDG and SYSKM.

As of version 12.1.0.1 ORAPWD has syntax elements for SYSBACKUP, SYSDG, and SYSKM
As of version 12.2.0.1 ORAPWD enforces password complexity rules.

Operating System Privileges
To access orapwd a user must have operating system level access to the ORACLE_HOME file system.
 
Recommended Security Rules

 NEVER
  • Give make O/S access to the orapwd utility available to anyone without a knowing how you will audit use of the application
 WITH GREAT CARE
  • Change permissions on the orapwd executable to limit misuse or abuse to as great an extent as is possible
 CAUTIONS
  • N/A
 
Usage Information
Documented Yes
Exceptions
Error Code Reason
OPW-00029 Password complexity failed for SYS user : Password must contain at least 8 characters.

Password must not contain double quotes
Password must contain at least 1 letter
Password must contain at least 1 digit
Password must contain at least 1 special character
Password must not contain the username
Password must not contain username reversed
ORA-01994 Password file missing or disabled if the startup parameter REMOTE_LOGIN_PASSWORD is null
ORA-28046 If the startup parameter REMOTE_LOGIN_PASSWORD is set to SHARED, an ALTER USER statement to change a password fails with Password change for SYS disallowed
First Available Not known
Security Model Executable by the
Source {ORACLE_HOME}/bin/
Syntax (Full) orapwd file=<fname> force={y|n} asm={y|n}
dbuniquename=<dbname> format={12|12.2}
delete={y|n} input_file=<input-fname>
'sys={y | password | external(<sys-external-name>)
  | global(<sys-directory-DN>)}'
'sysbackup={y | password | external(<sysbackup-external-name>)
  | global(<sysbackup-directory-DN>)}'
'sysdg={y | password | external(<sysdg-external-name>)
  | global(<sysdg-directory-DN>)}'
'syskm={y | password | external(<syskm-external-name>)
  | global(<syskm-directory-DN>)}'
 
Help
This is not the utility's full syntax. Note the following entries that show the missing pieces [oracle@db18c bin]$ orapwd -h
Usage 1: orapwd file=<fname> force={y|n} asm={y|n}
          dbuniquename=<dbname> format={12|12.2}
          delete={y|n} input_file=<input-fname>
          'sys={y | password | external(<sys-external-name>)
                | global(<sys-directory-DN>)}'
          'sysbackup={y | password | external(<sysbackup-external-name>)
                      | global(<sysbackup-directory-DN>)}'
          'sysdg={y | password | external(<sysdg-external-name>)
                  | global(<sysdg-directory-DN>)}'
          'syskm={y | password | external(<syskm-external-name>)
                  | global(<syskm-directory-DN>)}'

There must be no spaces around the equal-to (=) character.
[oracle@db19c bin]$
 
ASM
indicates that the password to be stored in ASM disk group is an ASM password. (optional), dbuniquename - unique database name used to identify database password files residing in ASM diskgroup only. Ignored when the ASM option is specified orapwd file=<path_and_file_name> asm=<N | Y>
# orapwd file=+DATA/???/PWDorabasexix.ora password="N0WayIn!" asm=Y
 
CREATE
Create a password file orapwd file=<path_and_file_name> password=<"password">
# orapwd file=+DATA/???/PWDorabasexix.ora password="N0WayIn!"
 
DELETE
Drop password file in ASM storage orapwd delete=y asm=y file=<diskgroup_name>
# orapwd delete=y asm=y file=+DATA/???/PWDorabasexix.ora
Drop password file by DB Unique Name orapwd delete=y dbuniquename=<database_unique_name>
# orapwd delete=y password="N0Access!" dbuniquename=orabase
Drop password file in a file system orapwd delete=y file=<path_and_file_name>
# orapwd delete=y file=/u01/oracle/product/19.3.0/dbhome_1/dbs/PWDorabasexix.ora
 
DESCRIBE
Describe the properties of the specified password file orapwd describe file=<fname>
orapwd describe file=PWDorabasexix.ora
Password file Description : format=12.2
Drop a password file with a file system # orapwd describe file=/u01/oracle/product/19.3.0/dbhome_1/database/PWDorabase.ora

Password file Description : format=12
 
FORCE
Forces existing file overwrite orapwd file=<path_and_file_name> force=<Y | N>
# orapwd file=+DATA/???/PWDorabasexix.ora password="N0WayIn!" force=y
 
FORMAT
use format=12 for new 12c features. Use 12.2 for enforcing Profile password complexity and limits and account status for admin users. orapwd file=<path_and_file_name> format=<12 | 12.2>
# orapwd file=+DATA/???/PWDorabasexix.ora password="N0WayIn!" format=12
 
INPUT_FILE
Create a new password file using an existing password file as the source orapwd file=<path_and_file_name> input_file=<existing_password_file> force=y
# orapwd file=+DATA/???/PWDorabase.ora input_file='/u01/oracle/dbs/PWDorabasexix.ora' force=y
 
SYS
specifies if SYS user is password, externally or globally authenticated. For external SYS, also specifies external name. For global SYS, also specifies directory DN. SYS={y | password} specifies if SYS user password needs to be changed when used with input_file orapwd input_file=<path_and_file_name> sys=<Y | password>
# orapwd file=+DATA/???/PWDorabasexix.ora sys="N0WayIn!"
 
SYSBACKUP
creates SYSBACKUP entry (optional). Specifies if SYSBACKUP user is password, externally or globally authenticated. For external SYSBACKUP, also specifies external name. For global SYSBACKUP, also specifies directory DN. Ignored, if input_file is specified orapwd file=<path_and_file_name> sysbackup=<password>
# orapwd file=+DATA/???/PWDorabasexix.ora sysbackup="N0WayIn!"
 
SYSDG
creates SYSDG entry (optional). Specifies if SYSDG user is password, externally or globally authenticated. For external SYSDG, also specifies external name. For global SYSDG, also specifies directory DN. Ignored, if input_file is specified orapwd file=<path_and_file_name> sysdg=<password>
# orapwd file=+DATA/???/PWDorabasexix.ora sysdg="N0WayIntoDR#"
 
SYSKM
creates SYSKM entry (optional). Specifies if SYSKM user is password, externally or globally authenticated. For external SYSKM, also specifies external name. For global SYSKM, also specifies directory DN. Ignored, if input_file is specified orapwd file=<path_and_file_name> syskm=<password>
# orapwd file=+DATA/???/PWDorabasexix.ora syskm="N0Way1ntoR#Wallets"
 
AUDIT VAULT and DATA VAULT Extensions
NOSYSDBA

This appears to still be valid syntax but no longer disables logins with "/ as sysdba"
orapwd file=<path_and_file_name> nosysdba=<y | n>
# orapwd file=/u01/app/oracle/product/19.3.0/dbhome_1/dbs/PWDorabasexix.ora password="N0WayIn!" nosysdba=y
 
Related Queries
Retrieve password file metadata SELECT *
FROM v$pwfile_users;
Retrieve the Database UniqueName SQL> show parameter unique

Related Topics
-