A nasty password-related gotcha in sqlplus
If you're working with Oracle database (and not using just tools with GUI), you surely know sqlplus i.e. a console-based SQL client for Oracle. A very spartan tool (forget about history of commands, auto completions, advanced editor etc.) but very effective and often used if all you have is access through SSH. But it has some quirks - one very nasty password-related hit me recently.
If you're security wise, I guess you know the rule that a password should be a non-trivial combination of letters, numbers and symbols - "frank123" obviously is not a strong password, while "W4d23#!?s" is a much better one. I personally use a generator when creating application passwords - these passwords will be stores in a property file for example, so why not to use a good one.
And this is where I was struck by the gotcha, as the generator produced a string containing the '@' symbol, which resulted in a total confusion of the sqlplus too, my frantic attempts to fix the problem for almost 30 minutes, and the fact that the customer's IT department thinks we're a bunch of idiots unable to enter a password.
The simplest way to instruct sqlplus where to connect is to use a string "login/password@SID" (SID is the name of the Oracle instance) on a command line. As you can see, using a password containing '@' (e.g. pass@word) results in a conflict with the other '@' symbol preceding the SID, and Oracle will simple respond with this
$ sqlplus username/abc@def@orcl11g ERROR: ORA-12154: TNS:could not resolve the connect identifier specified
You may try to escape the password in various ways, but nothing helps
$ sqlplus username/"abc@def"@orcl11g ERROR: ORA-12154: TNS:could not resolve the connect identifier specified $ sqlplus username/abc\@def@orcl11g ERROR: ORA-12154: TNS:could not resolve the connect identifier specified $ sqlplus username/"abc\@def"@orcl11g ERROR: ORA-12154: TNS:could not resolve the connect identifier specified $ sqlplus username/'abc@def'@orcl11g ERROR: ORA-12154: TNS:could not resolve the connect identifier specified
You may you try to enter the password interactively (i.e. not specifying it on a command-line so that sqlplus will ask you to enter it):
$ sqlplus username@orcl11g Enter password: ERROR: ORA-12154: TNS:could not resolve the connect identifier specified
Sqlplus obviously constructs the full connection string interactively, and then it's confused exacly as when you've specified the full connection string on a command line.
I'm not going to waste your time - I haven't found any solution how to force sqlplus to use a password with a '@' symbol in it. In the end I've written an e-mail to the customer's IT department asking for a password request, and a second later I've realized that maybe we could use a JDBC client (fortunately we had a working SQL Developer), and it worked.
The only good thing is that you may not lock the account (because of too many failed login attempts), as the sqlplus is not able to locate the instance (so that it does not reach the password verification, so it can't lock the account).
A five minute Google search plus trial and error resulted in a solution that works for me:
Provide only the username in the initial command, e.g.:
sqlplus myuser@sid
When prompted for the password, enter your password wrapped in double quotes.
SQLPlus seems like such an inferior tool for such a popular database. MySQL's client is sooo much more user friendly.
Alex,
you saved me bro...
I am using 10 databases for development and recently chaged my password using @ symbol in it.
if I ware didn't found your comment I had to change my passwords for all databases.
thanks.