Oracle ORAPWD Password File Utility
Version 21c

General Information
Library Note Morgan's Library Page Header
Which has the higher priority in your organization: Deploying a new database or securing the ones you already have? Looking for a website, and resources, dedicated solely to securing Oracle databases? Check out DBSecWorx.
Be sure to view the full listing of monographs in Morgan's Library
Password File Utility
Operating System Privileges To access orapwd a user must have operating system level access to the ORACLE_HOME file system and user or group access to execute the orapwd program.
 
Help
This is not the utility's full syntax. Note the following entries that show the missing pieces [oracle@db21c bin]$ orapwd -h
Usage 1: orapwd file=<fname> force={y|n} asm={y|n}
          dbuniquename=<dbname> format={12|12.2}
          delete={y|n} input_file=<input-fname>
          'sys={y | password | external(<sys-external-name>)
          | global(<sys-directory-DN>)}'
          'sysbackup={y | password | external(<sysbackup-external-name>)
          | global(<sysbackup-directory-DN>)}'
          'sysdg={y | password | external(<sysdg-external-name>)
          | global(<sysdg-directory-DN>)}'
          'syskm={y | password | external(<syskm-external-name>)
          | global(<syskm-directory-DN>)}'

Usage 2: orapwd describe file=<fname>

  where
    file   - name of password file (required),
    password
           - password for SYS will be prompted
             if not specified at command line.
             Ignored, if input_file is specified,
    force  - whether to overwrite existing file (optional),
    asm    - indicates that the password to be stored in
             Automatic Storage Management (ASM) disk group
             is an ASM password. (optional),
    dbuniquename
           - unique database name used to identify database
             password files residing in ASM diskgroup only.
             Ignored when asm option is specified (optional),
    format - use format=12 for new 12c features like SYSBACKUP, SYSDG
             and SYSKM support, longer identifiers, SHA2 Verifiers etc.
             use format=12.2 for 12.2 features like enforcing user
             profile (password limits and password complexity) and
             account status for administrative users.
             If not specified, format=12.2 is default (optional),
    delete - drops a password file. Must specify 'asm',
             'dbuniquename' or 'file'. If 'file' is specified,
             the file must be located on an ASM diskgroup (optional),
    input_file
           - name of input password file, from where old user
             entries will be migrated (optional),
    sys    - specifies if SYS user is password, externally or
             globally authenticated.
             For external SYS, also specifies external name.
             For global SYS, also specifies directory DN.
             SYS={y | password} specifies if SYS user password needs
             to be changed when used with input_file,
    sysbackup
           - creates SYSBACKUP entry (optional).
             Specifies if SYSBACKUP user is password, externally or
             globally authenticated.
             For external SYSBACKUP, also specifies external name.
             For global SYSBACKUP, also specifies directory DN.
             Ignored, if input_file is specified,
    sysdg  - creates SYSDG entry (optional).
             Specifies if SYSDG user is password, externally or
             globally authenticated.
             For external SYSDG, also specifies external name.
             For global SYSDG, also specifies directory DN.
             Ignored, if input_file is specified,
    syskm  - creates SYSKM entry (optional).
             Specifies if SYSKM user is password, externally or
             globally authenticated.
             For external SYSKM, also specifies external name.
             For global SYSKM, also specifies directory DN.
             Ignored, if input_file is specified,
    describe
           - describes the properties of specified password file
             (required).

There must be no spaces around the equal-to (=) character.
Retrieve password file metadata SELECT username, sysdba, sysoper, sysasm, sysbackup, sysdg, syskm, account_status, authentication_type, common, con_id
FROM v$pwfile_users;

USERNAME             SYSDB SYSOP SYSAS SYSBA SYSDG SYSKM ACCOUNT_STATUS
-------------------- ----- ----- ----- ----- ----- ----- --------------
SYS                  TRUE  TRUE  FALSE FALSE FALSE FALSE OPEN

SELECT username, authentication_type, common, con_id
FROM v$pwfile_users;

USERNAME             AUTHENTI COM  CON_ID
-------------------- -------- --- -------
SYS                  PASSWORD YES       0
Retrieve dbuniquename value SQL> show parameter unique

NAME                  TYPE     VALUE
--------------------- -------  ----------
db_unique_name        string   orabase
 
CREATE
Create a password file orapwd file=c:\u01\app\oracle\product\dbhome_1\dbs\PWDorabase.ora password="N0WayIn!"

C:\u01\app\oracle\product\dbhome_1\>cd $ORACLE_HOME/dbs
C:\u01\app\oracle\product\dbhome_1\dbs>dir
 Volume in drive C is System
 Volume Serial Number is F23F-0818

 Directory of C:\u01\app\oracle\product\dbhome_1\dbs

01/14/2022  07:50 PM   <DIR>           .
01/14/2022  07:50 PM   <DIR>           ..
01/14/2022  03:32 AM             3,129 init.ora
01/14/2022  07:50 PM             6,133 PWDorabase.ora
               2 File(s)          9,293 bytes
               2 Dir(s)  400,865,234,944 bytes free
 
DELETE
Drop a password file with a file system orapwd delete=y password="N0Access!" dbuniquename=orabase

orapwd delete=y file=/u01/app/oracle/product/dbhome_1/dbs/PWDorabase.ora
 
AUDIT VAULT and DATA VAULT Extension
NOSYSDBA

This appears to still be valid syntax but no longer disables logins with "/ as sysdba"
nosysdba=<y | n>
orapwd file=/u01/app/oracle/product/dbhome_1/dbs/PWDorabase.ora password="N0WayIn!" force=y
 
Addendum
DESCRIBE C:\Users\oracle>orapwd describe file=/u01/app/oracle/product/dbhome_1/dbs/PWDorabase.ora

Password file Description : format=12

Related Topics
Data Guard
Security
Utilities
What's New In 19c
What's New In 20c-21c

Morgan's Library Page Footer
This site is maintained by Dan Morgan. Last Updated: This site is protected by copyright and trademark laws under U.S. and International law. © 1998-2021 Daniel A. Morgan All Rights Reserved
  DBSecWorx