# Creating custom functions to verify passwords
<a name="Appendix.Oracle.CommonDBATasks.CustomPassword"></a>

You can create a custom password verification function in the following ways:
+ To use standard verification logic, and to store your function in the `SYS` schema, use the `create_verify_function` procedure. 
+ To use custom verification logic, or to avoid storing your function in the `SYS` schema, use the `create_passthrough_verify_fcn` procedure. 

# The create\$1verify\$1function procedure
<a name="Appendix.Oracle.CommonDBATasks.CustomPassword.Standard"></a>

You can create a custom function to verify passwords by using the Amazon RDS procedure `rdsadmin.rdsadmin_password_verify.create_verify_function`. The `create_verify_function` procedure is supported for all versions of RDS for Oracle.

The `create_verify_function` procedure has the following parameters. 


****  

| Parameter name | Data type | Default | Required | Description | 
| --- | --- | --- | --- | --- | 
|  `p_verify_function_name`  |  varchar2  |  —  |  Yes  |  The name for your custom function. This function is created for you in the SYS schema. You assign this function to user profiles.   | 
|  `p_min_length`  |  number  |  8  |  No  |  The minimum number of characters required.  | 
|  `p_max_length`  |  number  |  256  |  No  |  The maximum number of characters allowed.  | 
|  `p_min_letters`  |  number  |  1  |  No  |  The minimum number of letters required.  | 
|  `p_min_uppercase`  |  number  |  0  |  No  |  The minimum number of uppercase letters required.  | 
|  `p_min_lowercase`  |  number  |  0  |  No  |  The minimum number of lowercase letters required.  | 
|  `p_min_digits`  |  number  |  1  |  No  |  The minimum number of digits required.  | 
|  `p_min_special`  |  number  |  0  |  No  |  The minimum number of special characters required.  | 
|  `p_min_different_chars`  |  number  |  3  |  No  |  The minimum number of different characters required between the old and new password.  | 
|  `p_disallow_username`  |  boolean  |  true  |  No  |  Set to `true` to disallow the user name in the password.  | 
|  `p_disallow_reverse`  |  boolean  |  true  |  No  |  Set to `true` to disallow the reverse of the user name in the password.  | 
|  `p_disallow_db_name`  |  boolean  |  true  |  No  |  Set to `true` to disallow the database or server name in the password.  | 
|  `p_disallow_simple_strings`  |  boolean  |  true  |  No  |  Set to `true` to disallow simple strings as the password.  | 
|  `p_disallow_whitespace`  |  boolean  |  false  |  No  |  Set to `true` to disallow white space characters in the password.  | 
|  `p_disallow_at_sign`  |  boolean  |  false  |  No  |  Set to `true` to disallow the @ character in the password.  | 

You can create multiple password verification functions.

There are restrictions on the name of your custom function. Your custom function can't have the same name as an existing system object. The name can be no more than 30 characters long. Also, the name must include one of the following strings: `PASSWORD`, `VERIFY`, `COMPLEXITY`, `ENFORCE`, or `STRENGTH`. 

The following example creates a function named `CUSTOM_PASSWORD_FUNCTION`. The function requires that a password has at least 12 characters, 2 uppercase characters, 1 digit, and 1 special character, and that the password disallows the @ character. 

```
begin
    rdsadmin.rdsadmin_password_verify.create_verify_function(
        p_verify_function_name => 'CUSTOM_PASSWORD_FUNCTION', 
        p_min_length           => 12, 
        p_min_uppercase        => 2, 
        p_min_digits           => 1, 
        p_min_special          => 1,
        p_disallow_at_sign     => true);
end;
/
```

To see the text of your verification function, query `DBA_SOURCE`. The following example gets the text of a custom password function named `CUSTOM_PASSWORD_FUNCTION`. 

```
COL TEXT FORMAT a150

  SELECT TEXT 
    FROM DBA_SOURCE 
   WHERE OWNER = 'SYS' 
     AND NAME = 'CUSTOM_PASSWORD_FUNCTION' 
ORDER BY LINE;
```

To associate your verification function with a user profile, use `ALTER PROFILE`. The following example associates a verification PL/SQL function named `CUSTOM_PASSWORD_FUNCTION` with the `DEFAULT` user profile. `PASSWORD_VERIFY_FUNCTION` is the Oracle profile resource name. 

```
ALTER PROFILE DEFAULT LIMIT PASSWORD_VERIFY_FUNCTION CUSTOM_PASSWORD_FUNCTION;
```

To see which user profiles are associated with which verification functions, query `DBA_PROFILES`. The following example gets the profiles that are associated with the custom verification function named `CUSTOM_PASSWORD_FUNCTION`. 

```
SELECT * FROM DBA_PROFILES WHERE RESOURCE_NAME = 'PASSWORD_VERIFY_FUNCTION' AND LIMIT = 'CUSTOM_PASSWORD_FUNCTION';


PROFILE                    RESOURCE_NAME                     RESOURCE  LIMIT
-------------------------  --------------------------------  --------  ------------------------
DEFAULT                    PASSWORD_VERIFY_FUNCTION          PASSWORD  CUSTOM_PASSWORD_FUNCTION
```

The following example gets all profiles and the password verification functions that they are associated with. 

```
SELECT * FROM DBA_PROFILES WHERE RESOURCE_NAME = 'PASSWORD_VERIFY_FUNCTION';

PROFILE                    RESOURCE_NAME                     RESOURCE  LIMIT
-------------------------  --------------------------------  --------  ------------------------
DEFAULT                    PASSWORD_VERIFY_FUNCTION          PASSWORD  CUSTOM_PASSWORD_FUNCTION
RDSADMIN                   PASSWORD_VERIFY_FUNCTION          PASSWORD  NULL
```

# The create\$1passthrough\$1verify\$1fcn procedure
<a name="Appendix.Oracle.CommonDBATasks.CustomPassword.Custom"></a>

The `create_passthrough_verify_fcn` procedure is supported for all versions of RDS for Oracle.

You can create a custom function to verify passwords by using the Amazon RDS procedure `rdsadmin.rdsadmin_password_verify.create_passthrough_verify_fcn`. The `create_passthrough_verify_fcn` procedure has the following parameters. 


****  

| Parameter name | Data type | Default | Required | Description | 
| --- | --- | --- | --- | --- | 
|  `p_verify_function_name`  |  varchar2  |  —  |  Yes  |  The name for your custom verification function. This is a wrapper function that is created for you in the SYS schema, and it doesn't contain any verification logic. You assign this function to user profiles.   | 
|  `p_target_owner`  |  varchar2  |  —  |  Yes  |  The schema owner for your custom verification function.  | 
|  `p_target_function_name`  |  varchar2  |  —  |  Yes  |  The name of your existing custom function that contains the verification logic. Your custom function must return a boolean. Your function should return `true` if the password is valid and `false` if the password is invalid.   | 

The following example creates a password verification function that uses the logic from the function named `PASSWORD_LOGIC_EXTRA_STRONG`. 

```
begin
    rdsadmin.rdsadmin_password_verify.create_passthrough_verify_fcn(
        p_verify_function_name => 'CUSTOM_PASSWORD_FUNCTION', 
        p_target_owner         => 'TEST_USER',
        p_target_function_name => 'PASSWORD_LOGIC_EXTRA_STRONG');
end;
/
```

To associate the verification function with a user profile, use `alter profile`. The following example associates the verification function with the `DEFAULT` user profile. 

```
ALTER PROFILE DEFAULT LIMIT PASSWORD_VERIFY_FUNCTION CUSTOM_PASSWORD_FUNCTION;
```