How to Disable Oracle Password Expiration Policy for Development Environments in 11g


2 views

Every Oracle developer knows the frustration - you're mid-development when suddenly your bootstrap account gets locked due to password expiration. This is particularly painful when:

  • Using automated scripts that rely on fixed credentials
  • Maintaining local development databases
  • Working with CI/CD pipelines that need persistent access

Oracle 11g introduced the DEFAULT profile with these settings:

SELECT profile, resource_name, limit 
FROM dba_profiles 
WHERE profile = 'DEFAULT' 
AND resource_name LIKE 'PASSWORD%';

Typical output shows PASSWORD_LIFE_TIME 180 (days) which triggers expiration.

For a complete disable of password expiration:

-- Connect as SYSDBA
ALTER PROFILE DEFAULT LIMIT PASSWORD_LIFE_TIME UNLIMITED;

For specific users:

-- Create custom profile
CREATE PROFILE DEV_PROFILE LIMIT PASSWORD_LIFE_TIME UNLIMITED;
ALTER USER your_username PROFILE DEV_PROFILE;

If you need immediate access while waiting for policy changes:

ALTER USER username IDENTIFIED BY new_password;
ALTER USER username ACCOUNT UNLOCK;

Confirm your settings took effect:

SELECT username, account_status, expiry_date, profile 
FROM dba_users 
WHERE username = 'YOUR_USER';

While convenient for development, NEVER disable expiration in production. For shared dev environments, consider:

  • Using password vaults
  • Implementing SSH tunneling
  • Creating short-lived credentials

As developers, we've all been there - you come back to your local Oracle development instance after a weekend, only to find your bootstrap account locked due to password expiration. This is particularly frustrating when using accounts like SYSTEM or custom bootstrap users that need to remain available for database rebuilds.

Oracle implements password expiration through user profiles. The default profile (usually named DEFAULT) has password expiration enabled with these key parameters:

FAILED_LOGIN_ATTEMPTS 10
PASSWORD_LIFE_TIME    180
PASSWORD_REUSE_TIME   UNLIMITED
PASSWORD_REUSE_MAX    UNLIMITED

The most comprehensive approach is to alter the DEFAULT profile (assuming your users inherit from it):

ALTER PROFILE DEFAULT LIMIT
PASSWORD_LIFE_TIME UNLIMITED
PASSWORD_GRACE_TIME UNLIMITED;

For better separation of concerns, create a dedicated development profile:

CREATE PROFILE dev_profile LIMIT
PASSWORD_LIFE_TIME UNLIMITED
FAILED_LOGIN_ATTEMPTS UNLIMITED
PASSWORD_LOCK_TIME UNLIMITED;

ALTER USER system PROFILE dev_profile;
ALTER USER your_bootstrap_user PROFILE dev_profile;

If your account is already expired, first unlock and reset it:

ALTER USER username IDENTIFIED BY new_password ACCOUNT UNLOCK;

Then apply one of the profile solutions above to prevent recurrence.

Check the current profile settings with:

SELECT profile, resource_name, limit
FROM dba_profiles
WHERE resource_type = 'PASSWORD'
ORDER BY profile, resource_name;

While disabling password expiration is convenient for development, never apply these changes to production systems without proper security review. Consider using these alternatives in production:

  • Password vaults
  • Automated rotation tools
  • Restricted service accounts

For development environments though, these changes can save countless hours of frustration while maintaining your workflow.