You're right, Kathryn. I was wrong. verify_function_11G removed the punctuation mark check. It's interesting to note that 11gR1 Security Guide still recommends "include at least 1 punctuation mark" http://www.comp.dit.ie/btierney/Oracle11gDoc/network.111/b28531/authentication.htm#CHDFDHAJ In 11gR2, it changes to "can include multibyte characters", "can include the underscore (_), dollar ($), and number sign (#) characters" http://download.oracle.com/docs/cd/E11882_01/network.112/e10574/guidelines.htm#CHDEGEIF I think one reason the punctuation mark check is removed is that adding mixed case letters causes brute force password cracking much harder than including punctuation marks, 26 more possibilities versus less than 20 or so (in fact, much lower considering people's habit of only using a few familiar punctuation marks). And the inconvenience of enclosing the password with punctuation marks in double quotes is not worth it. Yong Huang --- On Wed, 4/28/10, kathryn axelrod <kat.axe@xxxxxxxxx> wrote: From: kathryn axelrod <kat.axe@xxxxxxxxx> Subject: Re: 11g password complexity To: "Yong Huang" <yong321@xxxxxxxxx> Cc: oracle-l@xxxxxxxxxxxxx Date: Wednesday, April 28, 2010, 10:56 AM Hi Yong, Are you looking at the updated version (verify_function_11g) or the original version (verify_function)? The utlpwdmg.sql (in 11.1.0.7 at least) contains both. And as part of the script it sets the default profile to use the 11g version. Thanks, -kathryn On Wed, Apr 28, 2010 at 7:21 AM, Yong Huang <yong321@xxxxxxxxx> wrote: > The basic utlpwdmg.sql script was modified for 11g and as one would expect, ... > In prior versions, it required "at least one digit, one character and one > punctuation". The 11g version requires "at least one digit, one character". > Does anyone know why they removed the 'punctuation' requirement? Kathryn, I checked utlpwdmg.sql in both 11.1 and 11.2.0.1. They both still have the same requirement, "at least one digit, one character and one punctuation". Yong Huang