Does Oracle OCI function OCIPasswordChange encrypt transmitted password

Question

I am working on an application that uses Oracle OCI to connect to the Oracle database server. The application allows the user to change their Oracle password and uses Alter User xxx Identified By to perform this.

However, this transmits the user's new password in clear text over the network (we cannot use Oracle SSL to encrypt network traffic). I have found that Oracle recommends using the PASSWORD command in SQLPlus rather than ALTER USER, one reason being that the new password encrypted.

Does the OCI method OCIPasswordChange also encrypt the new password when it is transmitted over the network?

This is using Oracle 10 and 11.

Answer 1

Yes, OCIPasswordChange does encrypt the new password sent over the network.

I have now implemented this and done a packet trace. An encrypted AUTH_NEWPASSWORD packet is transmitted to the Oracle database server.