Reinitializing the Same Password After Expiration in Oracle 19c

By | | ,

In Oracle Database 19c, when a user account (for example SYSTEM) becomes EXPIRED, the password itself is still valid — Oracle simply requires it to be changed.

In 19c environments, you may notice that the SPARE4 column is not visible (due to dictionary protection or restricted access to internal hash storage).
In this case, the clean and supported way to reinitialize the password (without changing it) is to extract the user DDL using DBMS_METADATA.

This article explains the correct method.

1. Verify Account Status

First, confirm the account is expired:

SELECT username, account_status FROM dba_users WHERE username = 'SYSTEM';

Example output:

USERNAME   ACCOUNT_STATUS
---------  --------------
SYSTEM     EXPIRED

2. Why SPARE4 May Not Be Visible in 19c

In 19c configurations:

  • Password hashes are protected
  • Dictionary access may be restricted
  • SPARE4 is no longer directly exposed in some secured setups
  • Oracle hardening policies may hide password hash details

Instead of querying internal columns, Oracle recommends using supported APIs like DBMS_METADATA.

3. Extract the User DDL (Including Password Hash)

Run:

SELECT DBMS_METADATA.GET_DDL('USER', USERNAME) AS DDL FROM DBA_USERS WHERE USERNAME = 'SYSTEM';

This returns something like:

CREATE USER "SYSTEM" IDENTIFIED BY VALUES 'S:8F3A...;T:4F9C...' DEFAULT TABLESPACE "SYSTEM" TEMPORARY TABLESPACE "TEMP" PROFILE "DEFAULT";

Important:

  • IDENTIFIED BY VALUES contains the password hash
  • The hash is preserved
  • No password change occurs

4. Reinitialize the Password (Remove EXPIRED Status)

Now simply:

  1. Copy the generated DDL
  2. Execute it in the same database

This effectively re-applies the same password hash and removes the EXPIRED status.

After execution, verify:

SELECT username, account_status FROM dba_users WHERE username = 'SYSTEM';

Expected result:

SYSTEM   OPEN

5. Why This Works

When you execute:

ALTER USER SYSTEM IDENTIFIED BY VALUES 'hash_value';

Oracle:

  • Reuses the existing password hash
  • Marks the password as newly set
  • Clears the EXPIRED flag
  • Does NOT change the actual password

6. Important Security Notes

  • Requires DBA privilege
  • Do NOT modify the hash value

7. Alternative (If You Know the Password)

If you know the original password, the simplest method remains:

ALTER USER SYSTEM IDENTIFIED BY "SamePassword";

This is cleaner and fully supported.

8. Best Practice Recommendation

For administrative accounts in 19c:

  • Use dedicated profiles
  • Control PASSWORD_LIFE_TIME
  • Avoid disabling expiration globally
Bookmark the permalink.
Loading Facebook Comments ...

Leave a Reply