Hash authentication parameters
Two parameters control which hashing algorithm is used for passwords:
-
A system-level configuration parameter,
SecurityAlgorithm
:=> ALTER DATABASE DEFAULT SET PARAMETER SecurityAlgorithm = 'hashing_algorithm';
-
A user-level parameter,
SECURITY_ALGORITHM
:=> ALTER USER username SECURITY_ALGORITHM 'hashing_algorithm' IDENTIFIED BY 'new_password';
The system-level parameter, SecurityAlgorithm
, can have the following values:
-
SHA512
(default) -
MD5
The user-level parameter, SECURITY_ALGORITHM
, can have the following values. Values other than NONE
will take priority over the system-level parameter:
-
NONE
(default) -
SHA512
-
MD5
Note
If user's password is hashed with MD5, you cannot change their username with ALTER USER.A user's EFFECTIVE_SECURITY_ALGORITHM
is determined by a combination of the system-level and user-level parameters. If the user-level parameter is set to NONE
, the effective security algorithm will be that of the system-level parameter. You can override the system-level parameter for a particular user by setting the user-level parameter to a non-NONE
value.
You can view these parameters and their effects on each user by querying the system table PASSWORD_AUDITOR.
The following table shows the various combinations of the system-level and user-level parameters, and the effective security algorithm for each. Notice that FIPS mode forces the effective security algorithm to be SHA-512.
Parameter value | Effective Security Algorithm | ||
---|---|---|---|
System level: SecurityAlgorithm | User-level: SECURITY_ALGORITHM | Hash | Hash (FIPS mode) |
MD5 |
NONE |
MD5 | SHA-512 |
SHA512 |
NONE |
SHA-512 | SHA-512 |
MD5 |
MD5 |
MD5 | SHA-512 |
SHA512 |
MD5 |
MD5 | SHA-512 |
MD5 |
SHA512 |
SHA-512 | SHA-512 |
SHA512 |
SHA512 |
SHA-512 | SHA-512 |