SEC_CASE_SENSITIVE_LOGON - Oracle Password Case Sensitivity
SEC_CASE_SENSITIVE_LOGON
Section titled “SEC_CASE_SENSITIVE_LOGON”Overview
Section titled “Overview”SEC_CASE_SENSITIVE_LOGON controls whether Oracle enforces case sensitivity when validating passwords during authentication. When set to TRUE (the default since Oracle 11g), passwords are treated as case-sensitive — the password Tiger1 is different from tiger1. When set to FALSE, Oracle ignores case during password comparison, treating both values as equivalent.
Case-sensitive passwords significantly improve security by increasing the entropy of the valid password space. Oracle 11g introduced this behavior alongside new password verifier algorithms (the 11G verifier, stored in DBA_USERS.PASSWORD_VERSIONS). In Oracle 12.2 and later, this parameter is effectively deprecated — when the database operates in exclusive authentication mode (the default in 12.2+), only the 11G (SHA-1) or 12C (SHA-2) verifiers are stored, and these are always case-sensitive regardless of this parameter. The deprecated 10G case-insensitive verifier is only relevant for legacy compatibility scenarios.
Parameter Type: Dynamic (ALTER SYSTEM) Default Value: TRUE Valid Values: TRUE, FALSE Available Since: Oracle 11g Deprecated: Oracle 12.2 (ignored in exclusive mode; retained for mixed mode backward compatibility) Modifiable: Yes — SCOPE=BOTH (SPFILE + running instance) PDB Modifiable: Yes (12c+)
Configuration
Section titled “Configuration”Viewing Current Value
Section titled “Viewing Current Value”-- Check current SEC_CASE_SENSITIVE_LOGON settingSELECT name, value, isdefault, ismodified, descriptionFROM v$parameterWHERE name = 'sec_case_sensitive_logon';
-- Check SPFILE valueSELECT name, value, isspecifiedFROM v$spparameterWHERE name = 'sec_case_sensitive_logon';
-- Check which password verifier versions are in use-- (determines whether this parameter has any actual effect)SELECT username, account_status, password_versionsFROM dba_usersWHERE account_status = 'OPEN'ORDER BY username;
-- Check the authentication mode (12.2+)SELECT name, valueFROM v$parameterWHERE name IN ( 'sec_case_sensitive_logon', 'sqlnet.allowed_logon_version_server', 'sec_protocol_error_trace_action')ORDER BY name;Setting the Parameter
Section titled “Setting the Parameter”-- Enable case-sensitive passwords (recommended; default since 11g)ALTER SYSTEM SET sec_case_sensitive_logon = TRUE SCOPE=BOTH;
-- Disable case-sensitive passwords (legacy compatibility only; not recommended)ALTER SYSTEM SET sec_case_sensitive_logon = FALSE SCOPE=BOTH;
-- After enabling, users with only 10G verifiers need password resets-- to generate 11G/12C verifiers for case-sensitive enforcement
-- Force password reset for a user to generate new verifiersALTER USER myuser PASSWORD EXPIRE;
-- Verify password versions after resetSELECT username, password_versionsFROM dba_usersWHERE username = 'MYUSER';Tuning Guidance
Section titled “Tuning Guidance”Recommended Values
Section titled “Recommended Values”| Environment | Recommended Value |
|---|---|
| Oracle 11g (new installation) | TRUE |
| Oracle 11g with legacy clients needing 10G verifier | FALSE (temporary) → migrate clients → TRUE |
| Oracle 12.1 | TRUE (still effective) |
| Oracle 12.2+ (exclusive mode) | TRUE (parameter has no effect in exclusive mode; leave at default) |
| Oracle 19c+ | TRUE (parameter is vestigial; exclusive mode is default) |
| Oracle 23ai | Not applicable — parameter removed |
| Any environment with a compliance requirement | TRUE — case-insensitive passwords fail most password security audits |
For Oracle 12.2 and later, this parameter’s value does not matter for security purposes when running in exclusive authentication mode. Focus instead on ensuring that SQLNET.ALLOWED_LOGON_VERSION_SERVER is set to 12 or higher in sqlnet.ora to prevent storage of the legacy 10G verifier.
How to Size
Section titled “How to Size”There is no numeric sizing for this parameter. The key administrative task is verifying that users have modern (11G or 12C) password verifiers and that no users are relying on the legacy 10G verifier.
-- Find users with only the legacy 10G verifier (case-insensitive passwords)SELECT username, account_status, password_versions, createdFROM dba_usersWHERE password_versions = '10G' AND account_status NOT IN ('EXPIRED & LOCKED', 'LOCKED')ORDER BY username;
-- Find users missing the 12C verifier (SHA-2) — should have both 11G and 12CSELECT username, password_versionsFROM dba_usersWHERE account_status = 'OPEN' AND password_versions NOT LIKE '%12C%'ORDER BY username;
-- Check sqlnet.ora allowed logon version settings (OS-level file)-- grep -i ALLOWED_LOGON $ORACLE_HOME/network/admin/sqlnet.ora
-- View default profile password settingsSELECT resource_name, limitFROM dba_profilesWHERE profile = 'DEFAULT' AND resource_type = 'PASSWORD'ORDER BY resource_name;Monitoring
Section titled “Monitoring”-- Monitor failed login attempts (may indicate case sensitivity issues)SELECT os_username, username, userhost, terminal, timestamp, action_name, returncodeFROM dba_audit_trailWHERE action_name = 'LOGON' AND returncode != 0 AND timestamp > SYSDATE - 1ORDER BY timestamp DESCFETCH FIRST 50 ROWS ONLY;
-- Or via unified audit trail (12c+)SELECT event_timestamp, db_username, userhost, action_name, return_codeFROM unified_audit_trailWHERE action_name = 'LOGON' AND return_code != 0 AND event_timestamp > SYSTIMESTAMP - INTERVAL '24' HOURORDER BY event_timestamp DESCFETCH FIRST 50 ROWS ONLY;
-- Check for ORA-01017 login failures in alert log contextSELECT name, valueFROM v$parameterWHERE name = 'sec_case_sensitive_logon';Common Issues
Section titled “Common Issues”Issue 1: ORA-01017 After Upgrading to 11g or Enabling Case Sensitivity
Section titled “Issue 1: ORA-01017 After Upgrading to 11g or Enabling Case Sensitivity”After enabling SEC_CASE_SENSITIVE_LOGON=TRUE (or after upgrading from 10g to 11g), application logins fail with ORA-01017: invalid username/password if the application uses passwords that were previously valid in a case-insensitive context.
Resolution: Reset the affected user’s password with the correct case. If the application cannot accommodate case-sensitive passwords immediately, temporarily set SEC_CASE_SENSITIVE_LOGON=FALSE while updating the application password configuration.
-- Identify the correct password case and resetALTER USER appuser IDENTIFIED BY "CorrectCasePassword";
-- Verify the new verifiers were generatedSELECT username, password_versionsFROM dba_usersWHERE username = 'APPUSER';Issue 2: Users Have Legacy 10G Verifier After Setting TRUE
Section titled “Issue 2: Users Have Legacy 10G Verifier After Setting TRUE”Setting SEC_CASE_SENSITIVE_LOGON=TRUE only enforces case sensitivity for users who have the 11G or 12C verifier. Users whose passwords were set before Oracle 11g (or when case sensitivity was disabled) only have the 10G verifier and continue to authenticate case-insensitively until their passwords are reset.
Resolution: Force a password reset for all users with only the 10G verifier.
-- Expire passwords for users with only the 10G verifierBEGIN FOR u IN ( SELECT username FROM dba_users WHERE password_versions = '10G' AND account_status = 'OPEN' ) LOOP EXECUTE IMMEDIATE 'ALTER USER ' || u.username || ' PASSWORD EXPIRE'; END LOOP;END;/Issue 3: Parameter Has No Effect in Oracle 12.2+ Exclusive Mode
Section titled “Issue 3: Parameter Has No Effect in Oracle 12.2+ Exclusive Mode”In Oracle 12.2 and later with SQLNET.ALLOWED_LOGON_VERSION_SERVER=12, the 10G verifier is never stored and the SEC_CASE_SENSITIVE_LOGON parameter has no effect — passwords are always case-sensitive. DBAs sometimes set FALSE expecting it to help diagnose login issues, but it has no impact.
Resolution: In Oracle 12.2+, diagnose login failures by checking the PASSWORD_VERSIONS column and the sqlnet.ora allowed logon version settings instead of this parameter.
-- In 12.2+ with exclusive mode, confirm this parameter has no effectSELECT name, valueFROM v$parameterWHERE name = 'sec_case_sensitive_logon';-- value = FALSE here has no operational effect if running in exclusive mode
-- Check allowed logon version in the parameter file (sqlnet.ora)-- SQLNET.ALLOWED_LOGON_VERSION_SERVER=12 means 10G verifier is never storedRelated Parameters
Section titled “Related Parameters”- AUDIT_TRAIL — Auditing configuration; failed logon attempts due to case sensitivity issues are captured in the audit trail
- REMOTE_LOGIN_PASSWORDFILE — Controls SYSDBA remote authentication; SYS password in the password file is always case-sensitive in 11g+
- SEC_PROTOCOL_ERROR_TRACE_ACTION — Controls Oracle’s response to protocol errors including authentication failures
Related Errors
Section titled “Related Errors”- ORA-01017: Invalid Username/Password — The primary error surfaced by case sensitivity mismatches; occurs when a client sends the wrong case password
- ORA-28000: Account Locked — Repeated failed logins due to case sensitivity issues can trigger account lockout
- ORA-28040: No Matching Authentication Protocol — Occurs when a client cannot present a compatible password verifier; often related to version and case sensitivity settings
Version Notes
Section titled “Version Notes”| Version | Notes |
|---|---|
| Oracle 10g | Passwords case-insensitive by default; no parameter existed |
| Oracle 11g | SEC_CASE_SENSITIVE_LOGON introduced; defaults to TRUE; 11G verifier added |
| Oracle 12.1 | Parameter still fully effective; 12C verifier (SHA-2) introduced |
| Oracle 12.2 | Parameter effectively deprecated in exclusive mode (SQLNET.ALLOWED_LOGON_VERSION_SERVER=12); still honored in mixed mode |
| Oracle 18c/19c | Exclusive mode is the recommended default; parameter retained for backward compatibility only |
| Oracle 21c | Legacy 10G verifier desupported; parameter has no security relevance |
| Oracle 23ai | Parameter removed; all authentication is case-sensitive |