Creating an Oracle Password File

An Oracle password file is an operating system file that allows privileged administrative users to authenticate to an Oracle database with roles such as SYSDBA, SYSOPER, SYSBACKUP, SYSDG, SYSKM, and SYSASM. This type of authentication is especially important when a DBA must connect remotely before the database is fully open, during startup, shutdown, backup, recovery, Data Guard administration, or other privileged maintenance operations.

The objective of this lesson is to create a password file for the COIN database. The correct Oracle utility for this task is orapwd. Do not confuse orapwd with oradim. The oradim utility is associated with creating and managing Oracle services on Windows. It is not the password file creation utility. For password file creation, maintenance, and replacement, use orapwd.

Why Oracle Uses a Password File

Normal database users are authenticated through the database data dictionary, external authentication, enterprise identity services, or other configured authentication methods. Administrative users are different. A user who connects as SYSDBA or another administrative role may need to connect when the database is mounted, in recovery mode, or not fully open. In those cases, Oracle cannot always depend only on ordinary database authentication. The password file solves this problem by storing privileged administrative authentication data outside the regular user table.

In a local operating system session, an administrator may be able to connect with operating system authentication, for example:

sqlplus / as sysdba

For remote administrative access over Oracle Net, the database typically needs a password file. Without a valid password file and the proper REMOTE_LOGIN_PASSWORDFILE setting, remote users granted SYSDBA or related privileges may not be able to authenticate.

ORAPWD Syntax for Oracle 19c and Oracle 23ai

The general form of the orapwd command is:

orapwd FILE=<password_file_path> ENTRIES=<administrator_count> FORMAT=<password_file_format>

The most important parameters are FILE, ENTRIES, and FORMAT. Other parameters, such as FORCE and NOSYSDBA, are used for more specialized cases. A secure modern command should not place the SYS password directly on the command line. When the PASSWORD parameter is omitted, Oracle prompts for the password interactively.

FILE Parameter

The FILE parameter specifies the complete path and file name of the password file. On Linux and Unix systems, the conventional name is orapw<SID>. For the COIN database, the conventional file name is:

$ORACLE_HOME/dbs/orapwCOIN

On Windows, Oracle password files are commonly stored under the database directory and use a naming pattern such as:

%ORACLE_HOME%\database\PWDCOIN.ora

ENTRIES Parameter

The ENTRIES parameter specifies how many privileged administrative users the password file should be prepared to support. In older Oracle versions, this value was especially important because the file was sized according to the number of administrative entries. In modern Oracle releases, password file behavior is more flexible, but the parameter still communicates the intended administrative capacity and remains useful in instructional examples and controlled DBA procedures.

FORMAT Parameter

The FORMAT parameter determines the password file format. For Oracle 12c through Oracle 19c environments, FORMAT=12 is common. For a new Oracle 23ai deployment, FORMAT=12.2 is the preferred modern format because it supports newer password file capabilities and better administrative account handling.

FORCE Parameter

The FORCE parameter controls whether orapwd overwrites an existing password file. If the file already exists and FORCE=Y is not specified, the command can fail instead of replacing the file. Use FORCE=Y only when you deliberately intend to replace the current password file.

NOSYSDBA Parameter

The NOSYSDBA parameter is not normally used for standard database installations. It is associated with specialized security configurations, such as Oracle Data Vault environments, where the default administrative privilege model may be restricted. For a normal instructional COIN database, this parameter is usually not needed.

Deprecated IGNORECASE Parameter

Older Oracle material may refer to IGNORECASE=Y. This parameter allowed case-insensitive password behavior. Do not use it for a modern Oracle database. Case-sensitive password behavior is the expected secure baseline, and IGNORECASE should be treated as a legacy or deprecated option.

Creating the Password File for the COIN Database

The following examples create a password file for the COIN database. The examples intentionally omit the PASSWORD parameter so that Oracle prompts for the SYS password interactively. This avoids exposing the password in command history, terminal scrollback, shell scripts, or operating system process listings.

Linux or Unix Example for Oracle 19c

orapwd FILE=$ORACLE_HOME/dbs/orapwCOIN ENTRIES=10 FORMAT=12

Enter password for SYS:

This command creates a password file named orapwCOIN in the standard Linux or Unix password file location under $ORACLE_HOME/dbs. The ENTRIES=10 value allows room for a small group of administrative users. The FORMAT=12 value is suitable for Oracle 12c, Oracle 18c, Oracle 19c, and compatible environments.

Linux or Unix Example for Oracle 23ai

orapwd FILE=$ORACLE_HOME/dbs/orapwCOIN ENTRIES=10 FORMAT=12.2

Enter password for SYS:

For a new Oracle 23ai deployment, use FORMAT=12.2 unless compatibility requirements force a different choice. This keeps the password file aligned with the modern administrative authentication model.

Windows Example for Oracle 23ai

orapwd FILE=%ORACLE_HOME%\database\PWDCOIN.ora ENTRIES=10 FORMAT=12.2

Enter password for SYS:

On Windows, place the password file in the expected Oracle home database directory. The exact path can vary according to the Oracle home layout, database name, and installation method, but the important point is that Oracle must be able to locate the password file when the instance starts.

Protecting the File After Creation

On Linux and Unix systems, restrict the file permissions after the password file is created:

chmod 600 $ORACLE_HOME/dbs/orapwCOIN

The file should be owned by the Oracle software owner, commonly the oracle operating system account. Do not make the file world-readable. The password file supports privileged authentication and should be treated as a sensitive security artifact.

The ENTRIES Parameter in Detail

The value for the ENTRIES parameter is used to size or plan the password file. Each entry represents a privileged administrative user who can be granted administrative privileges through the password file. This number represents the maximum number of users to whom you expect to grant privileges such as SYSDBA or SYSOPER.

Be generous with the number of users you allow for. Password files are small, so disk space is rarely the deciding issue. The larger concern is administrative clarity. You should not force several DBAs to share the SYS account simply because the password file was created too narrowly. Shared administrative accounts make auditing weaker and make it more difficult to determine which DBA performed a privileged action.

In a secure environment, each privileged administrator should have an individually named account. That account can then be granted a specific administrative privilege, such as SYSDBA, SYSOPER, or SYSBACKUP. When the privilege is granted, the account appears in the password file. When the privilege is revoked, the password file entry is no longer used for that privilege.

Older course material sometimes referred to the INTERNAL user. That reference is obsolete. Modern Oracle administration uses SYS and administrative privilege connections such as AS SYSDBA. Do not design new material around INTERNAL, and do not instruct students to connect with connect internal.

FORMAT Parameter: Oracle 12, 12.2, and Legacy Files

The password file format matters because it controls which administrative privileges and password verification capabilities the file can support. A legacy password file can prevent newer administrative roles from being represented correctly. This is important in modern environments where roles such as SYSBACKUP, SYSDG, and SYSKM are used to separate responsibilities.

FORMAT=12

Use FORMAT=12 for Oracle 12c through Oracle 19c environments when compatibility with that generation of database software is required. It is a modern format compared with legacy password files and supports stronger password file behavior than older formats.

FORMAT=12.2

Use FORMAT=12.2 for new Oracle 23ai deployments when there is no compatibility reason to use an older format. This is the better teaching example for a current Oracle 23ai course because it presents the password file as part of the modern administrative security model.

Data Guard and Migration Considerations

In a Data Guard configuration, keep the password file format and privileged administrative users consistent between the primary and standby databases. A mismatch between password files can cause authentication problems during redo transport, broker operations, switchover, failover, or remote administration. Before replacing a password file, document the existing file, verify the current privileged users, and coordinate the change across all related database hosts.

Verifying the Password File After Creation

After creating the password file, verify that Oracle recognizes it and that administrative users are represented correctly. Two useful dynamic performance views are V$PWFILE_USERS and V$PASSWORDFILE_INFO.

Checking Privileged Users

SELECT USERNAME, SYSDBA, SYSOPER, SYSBACKUP
FROM V$PWFILE_USERS;

The V$PWFILE_USERS view lists users contained in the password file and indicates which administrative privileges they have. This view is useful after granting or revoking administrative privileges.

Checking Password File Format and Location

SELECT FILE_NAME, FORMAT
FROM V$PASSWORDFILE_INFO;

The V$PASSWORDFILE_INFO view shows the password file location and format. In a multitenant database, this view is useful because the password file is common to the CDB rather than separately managed for each PDB. For a modern environment, this query helps confirm whether the file is using 12, 12.2, or a legacy format.

REMOTE_LOGIN_PASSWORDFILE

The password file works with the REMOTE_LOGIN_PASSWORDFILE initialization parameter. This parameter controls whether Oracle uses password file authentication for remote administrative connections.

Common values include:

• EXCLUSIVE: Allows one database to use the password file and supports individually named administrative users.
• SHARED: Allows password file sharing in limited scenarios, but restricts administrative user management.
• NONE: Disables password file authentication.

For most modern single-database administrative configurations, EXCLUSIVE is the expected setting. It allows named users to receive administrative privileges and supports better auditability than forcing everyone to share SYS.

SHOW PARAMETER REMOTE_LOGIN_PASSWORDFILE

If the setting must be changed, use an ALTER SYSTEM statement and restart the database if required by the parameter behavior in your Oracle version and configuration.

Security Considerations

Run ORAPWD as the Oracle Software Owner

Run orapwd as the operating system account that owns the Oracle software installation. On Linux and Unix systems, this is commonly the oracle account. Running the command as the correct operating system user helps ensure that the file ownership and permissions are compatible with the Oracle instance.

Use Interactive Password Entry

Avoid this older pattern:

orapwd FILE=$ORACLE_HOME/dbs/orapwCOIN PASSWORD=mysecretpassword ENTRIES=10 FORMAT=12.2

This exposes the password in places where it does not belong. Use this safer pattern instead:

orapwd FILE=$ORACLE_HOME/dbs/orapwCOIN ENTRIES=10 FORMAT=12.2

Enter password for SYS:

Restrict File System Permissions

The password file is not ordinary text documentation. It is part of the privileged authentication infrastructure. Restrict access to the Oracle software owner and the appropriate operating system administrative group.

Coordinate Password File Replacement

Replacing a password file can affect remote DBA connections, backup operations, Data Guard services, and automation scripts. Before using FORCE=Y, verify that you understand which users and services depend on the existing file. Recreate or regrant administrative privileges as needed after replacement.

Common ORAPWD Errors and Fixes

File Already Exists

If the password file already exists, orapwd may refuse to overwrite it. Use FORCE=Y only when the replacement is intentional:

orapwd FILE=$ORACLE_HOME/dbs/orapwCOIN ENTRIES=10 FORMAT=12.2 FORCE=Y

Wrong Directory

If the file is created in the wrong directory, Oracle may not find it during startup or remote authentication. Confirm the expected operating system location for your platform and Oracle home. On Linux and Unix, the conventional location is $ORACLE_HOME/dbs. On Windows, the conventional location is usually under %ORACLE_HOME%\database.

Format Mismatch

If a password file is too old, it may not support the administrative roles or password behavior expected by the current database. Query V$PASSWORDFILE_INFO to confirm the file format. If the file is legacy and the database is modern, plan a controlled password file replacement.

Administrative User Missing

If a DBA account does not appear in V$PWFILE_USERS, verify that the user has actually been granted an administrative privilege:

GRANT SYSBACKUP TO backup_admin;

SELECT USERNAME, SYSDBA, SYSOPER, SYSBACKUP
FROM V$PWFILE_USERS;

Only users with relevant administrative privileges appear in the password file view.

Summary

To create a password file for the COIN database, use the orapwd utility, not oradim. Specify the correct file path, choose a modern format, reserve enough administrative entries, and allow Oracle to prompt interactively for the SYS password. After creating the file, restrict operating system permissions and verify the result with V$PWFILE_USERS and V$PASSWORDFILE_INFO.

The most appropriate Oracle 23ai example for the COIN database is:

orapwd FILE=$ORACLE_HOME/dbs/orapwCOIN ENTRIES=10 FORMAT=12.2
Enter password for SYS:

This approach creates a secure, modern password file while avoiding obsolete references to INTERNAL, avoiding command-line password exposure, and aligning the lesson with current Oracle administrative practice.

Creating Password File - Quiz