Hash authentication parameters

Two parameters control which hashing algorithm is used for passwords:.

Two parameters control which hashing algorithm is used for passwords:

  • A system-level configuration parameter, SecurityAlgorithm:

    => ALTER DATABASE DEFAULT SET PARAMETER SecurityAlgorithm = 'hashing_algorithm';
    
  • A user-level parameter, SECURITY_ALGORITHM:

    => ALTER USER username SECURITY_ALGORITHM 'hashing_algorithm' IDENTIFIED BY 'new_password';
    

The system-level parameter, SecurityAlgorithm, can have the following values:

  • SHA512 (default)

  • MD5

The user-level parameter, SECURITY_ALGORITHM, can have the following values. Values other than NONE will take priority over the system-level parameter:

  • NONE (default)

  • SHA512

  • MD5

A user's EFFECTIVE_SECURITY_ALGORITHM is determined by a combination of the system-level and user-level parameters. If the user-level parameter is set to NONE, the effective security algorithm will be that of the system-level parameter. You can override the system-level parameter for a particular user by setting the user-level parameter to a non-NONE value.

You can view these parameters and their effects on each user by querying the system table PASSWORD_AUDITOR.

The following table shows the various combinations of the system-level and user-level parameters, and the effective security algorithm for each. Notice that FIPS mode forces the effective security algorithm to be SHA-512.

Parameter value Effective Security Algorithm
System level: SecurityAlgorithm User-level: SECURITY_ALGORITHM Hash Hash (FIPS mode)
MD5 NONE MD5 SHA-512
SHA512 NONE SHA-512 SHA-512
MD5 MD5 MD5 SHA-512
SHA512 MD5 MD5 SHA-512
MD5 SHA512 SHA-512 SHA-512
SHA512 SHA512 SHA-512 SHA-512