Applies to:Oracle Server - Enterprise Edition - Version: 184.108.40.206 and later [Release: 11.1 and later ]
Information in this document applies to any platform.
Checked for relevance on 30-Aug-2011
The change to DBA_USERS is the result of a security enhancement, it was no longed deemed appropriate to show the password hashes in the DBA_USERS view as it may cause undesired exposure when access to this view is needed by 'unprivileged' users. This feature coincides with the introduction of the new hash algorithm, which is stored differently as compared to the visible hash in earlier releases anyway.
The old style hash is still stored in USER$.PASSWORD column, the new SHA-1 hash is in USER$.SPARE4, but none of them is exposed in DBA_USERS for security reasons.
The lack of a visible hash in DBA_USERS does not mean the user is externally authenticated. If a user is externally authenticated, this is explicitly indicated in the PASSWORD column by the value "EXTERNAL".
A documentation bug was opened, as the 11g documentation had not been updated to reflect the new