Hash Authentication Parameters
Two parameters control which hashing algorithm is used for passwords:
-
A system-level configuration parameter,
SecurityAlgorithm:=> ALTER DATABASE DEFAULT SET PARAMETER SecurityAlgorithm = 'hashing_algorithm';
-
A user-level parameter,
SECURITY_ALGORITHM:=> ALTER USER username SECURITY_ALGORITHM 'hashing_algorithm' IDENTIFIED BY 'new_password';
The system-level parameter, SecurityAlgorithm, can have the following values:
SHA512(default)MD5
The user-level parameter, SECURITY_ALGORITHM, can have the following values. Values other than NONE will take priority over the system-level parameter:
NONE(default)SHA512MD5
If user's password is hashed with MD5, you cannot change their username with ALTER USER.
A user's EFFECTIVE_SECURITY_ALGORITHM is determined by a combination of the system-level and user-level parameters. If the user-level parameter is set to NONE, the effective security algorithm will be that of the system-level parameter. You can override the system-level parameter for a particular user by setting the user-level parameter to a non-NONE value.
You can view these parameters and their effects on each user by querying the system table PASSWORD_AUDITOR.
The following table shows the various combinations of the system-level and user-level parameters, and the effective security algorithm for each. Notice that FIPS mode forces the effective security algorithm to be SHA-512.
| Parameter value | Effective Security Algorithm | ||
|---|---|---|---|
| System level: SecurityAlgorithm | User-level: SECURITY_ALGORITHM | Hash | Hash (FIPS mode) |
MD5
|
NONE
|
MD5 | SHA-512 |
SHA512
|
NONE
|
SHA-512 | SHA-512 |
MD5
|
MD5
|
MD5 | SHA-512 |
SHA512
|
MD5
|
MD5 | SHA-512 |
MD5
|
SHA512
|
SHA-512 | SHA-512 |
SHA512
|
SHA512
|
SHA-512 | SHA-512 |