Password Rotation Best Practices in SQL*Plus

Password rotation policies in SQL*Plus are not optional. Oracle databases accessed through SQL*Plus should enforce strict expiration intervals and automated resets. Static passwords become liabilities; rotation reduces exposure from leaks, brute force attempts, and stale accounts.

Start with Oracle’s profile settings. Use the CREATE PROFILE or ALTER PROFILE commands to set PASSWORD_LIFE_TIME to the required number of days. This forces each user account to change its password on schedule. Combine it with PASSWORD_GRACE_TIME so users have minimal delay before mandatory changes. Example:

ALTER PROFILE app_users LIMIT PASSWORD_LIFE_TIME 30 PASSWORD_GRACE_TIME 3;

Enforce complexity alongside rotation. Adjust PASSWORD_VERIFY_FUNCTION to reject weak passwords, ensuring that each rotated password raises the security bar. Regular audits should confirm that inactive accounts are locked and that profiles match policy.

When scripts or automated jobs use SQL*Plus, rotate the service account passwords too. Store new credentials in a secure vault and update connection scripts immediately. Test these updates in staging before moving to production to avoid downtime.

Monitor compliance. Query DBA_USERS to see expiry dates. Build alerts for accounts nearing expiration. Verify that critical roles—DBA, application owners—rotate faster than default user accounts.

A sound password rotation policy in SQL*Plus is simple to implement but powerful in impact. It shrinks the attack window to days instead of months or years. If you need this live without the wait, deploy and enforce your rotation policies with hoop.dev—you can see it in action in minutes.