You are correct. Adding complexity will not lock an account. Yes, initial and reset passwords meet the complexity rules. As for the application prompting them, I would assume the application would need to notify them. I produce a report that is mailed to the end users when their database passwords are within 3 weeks of expire, and then each week thereafter. They can change their passwords when they have the time. -- Ron Reidy Lead DBA Array BioPharma, Inc. -----Original Message----- From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of J. Dex Sent: Thursday, March 02, 2006 1:49 PM To: oracle-l@xxxxxxxxxxxxx Subject: password complexity -- implementing security changes I am wondering how other shops handle security changes relating to password complexity. We just implemented a lot of security features into our database including password complexity. The users login through an application. Adding password complexity did not appear to lock out their accounts. When they try and login, though, with multiple attempts it finally does lock it. Do most of you just give them a password initially that fits complexity and tell them they have to change it? I am still not even sure if the application is going to prompt them after 90 days to change the password or they will just start getting locked out. _________________________________________________________________ Don't just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ -- //www.freelists.org/webpage/oracle-l This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system. -- //www.freelists.org/webpage/oracle-l