how to check oracle database accounts without profiles that have a default password
This post explains about how to check database accounts without profiles have default password. When a profile is defined to a user account, a history of changing passwords can be tracked via sys.user_history$. However, if any profile is not defined to a user account, sys.user_history$ does not show any entries for this user, hence can not check if an account has a default password. For example:
SQL> connect /as sysdba
SQL> create user [USER1] identified by [PASSWORD] profile passpro_test;
User created.
SQL> create user [USER2] identified by [PASSWORD];
User created.
SQL> select user_id from dba_users where username = upper('[USER1]');
USER_ID
----------
332
SQL> select user_id from dba_users where username = upper('[USER2]');
USER_ID
----------
333
SQL> alter user [USER1] identified by [NEW PASSWORD];
User altered.
SQL> alter user [USER2] identified by [NEW PASSWORD];
User altered.
SQL> select * from sys.user_history$ where user#=332 order by password_date;
USER#
----------
PASSWORD
--------------------------------------------------------------------------------
PASSWORD_DATE
-------------------
332
...
2019-08-27 10:47:02
332
...
2019-08-27 10:53:31
SQL> select * from sys.user_history$ where user#=333 order by password_date;
no rows selected
For such a case, checking if user$.ctime and user$.ptime are different will become alternative way for this requirement.
Result 1: Before changing password
SQL> select user#, ctime, ptime from user$ where user# in (332,333);
USER# CTIME PTIME
---------- ------------------- -------------------
332 2019-08-27 10:47:02 2019-08-27 10:47:02
333 2019-08-27 10:47:05 2019-08-27 10:47:05
Result 2: After changing password
SQL> select user#, ctime, ptime from user$ where user# in (332,333);
USER# CTIME PTIME
---------- ------------------- -------------------
332 2019-08-27 10:47:02 2019-08-27 10:53:31
333 2019-08-27 10:47:05 2019-08-27 10:53:32 >>> ptime is changed since a password is changed.