I'm running oracle 19c and in my app server code I'm receiving old/new passwords from the user and building the alter user query, including the REPLACE clause, and executing it. It seems to ALWAYS let them change their password even if the old password is incorrect.
The same is true when I manually execute the queries from TOAD. In other words, this below will change their password to "bar". I would have expected the second statement to fail since their password is "food", not "bad_password"
ALTER USER myuser IDENTIFIED BY "foo";
ALTER USER myuser IDENTIFIED BY "bar" REPLACE "bad_password";
I've tried searching but I'm not able finding it difficult to word the problem in a way that I get helpful results.
What totally obvious thing am I missing?
You can omit the REPLACE clause if you are setting your own password or you have the ALTER USER system privilege and you are changing another user's password. However, unless you have the ALTER USER system privilege, you must always specify the REPLACE clause if a password complexity verification function has been enabled, either by running the UTLPWDMG.SQL script or by specifying such a function in the PASSWORD_VERIFY_FUNCTION parameter of a profile that has been assigned to the user.
And more relevantly to your situation:
Oracle Database does not check the old password, even if you provide it in the REPLACE clause, unless you are changing your own existing password.
As your application (and, presumably, Toad) is connected as a different user, myuser is not changing their own password, so REPLACE is ignored.
I would expect your application to authenticate the user with their existing password before issuing the alter statement with the new password on their behalf.