Oracle Consulting Oracle Training Oracle Support Development
Oracle Books
SQL Server Books
IT Books
Job Interview Books
Rampant Horse Books
911 Series
Pedagogue Books

Oracle Software
Write for Rampant
Publish with Rampant
Rampant News
Rampant Authors
Rampant Staff
Oracle News
Oracle Forum
Oracle Tips
Articles by our Authors
Press Releases
SQL Server Books

Oracle 11g Books

Oracle tuning

Oracle training

Oracle support

Remote Oracle


Privacy Policy



Oracle Tips by Burleson


Hiding the SQL*Plus Password

When a user enters into sqlplus, the most likely way is issuing

sqlplus scott/tiger

Assuming, of course, that the user is SCOTT and the password is TIGER. However, if on another terminal, a user enters the following command

ps –aef|grep sqlplus

He will see this

sqlplus scott/tiger

The password of SCOTT is revealed. Clearly, this is a security hole. The users must be instructed never to use the password directly on the command line.

Either the following command should be used

sqlplus SCOTT

Oracle should prompt for a password which would then be entered,


sqlplus /nolog

Some other ways to connect from a program include

sqlplus /nolog << EOF
… your sql statements go here

Similar warnings exist for other Oracle utilities such as export, import, SQL loader, and RMAN. Some programs written in Pro*C or Java may need the parameter to be passed in the command line. These also

Never expose the password, and access should be strictly prohibited. The programs or utilities will prompt for passwords if not supplied, and the password may be fed from a file via redirection (using the "<" character).

Sometimes we have found it useful to store the password in some secured file owned by the software owner, and readable only by the owner. Although it is not absolutely secure by any means, it's nevertheless a deterrent to theft.

Sometimes DBAs, the very people in charge of security, also make mistakes that expose the password. A common example is using the TKPROF tool. The DBA might give a command like this

tkprof tracefile.trc tkout.out explain=sys/changed

Note the use of the sys password for the explain clause. Although the explain clause needs a password, it can be given later during the prompt. In any case, unless the sys owned objects are explained, the user sys should never be used to explain the plan. Rather the application user should be used to explain the plan.


Download your Oracle scripts now:

The definitive Oracle Script collection for every Oracle professional DBA


Linux Oracle commands syntax poster

ION Oracle tuning software

Oracle data dictionary reference poster

Oracle Forum

BC Oracle consulting support training

BC remote Oracle DBA   



 Copyright © 1996 -2017 by Burleson. All rights reserved.

Oracle® is the registered trademark of Oracle Corporation. SQL Server® is the registered trademark of Microsoft Corporation. 
Many of the designations used by computer vendors to distinguish their products are claimed as Trademarks