When I tried to change the password for SYS, I got an ORA-28017 error message. This was caused by a manual DB upgrade to 12C without upgrading the password file as well.
Problem Description
The way I encountered this error was when I was unable to logon remotely to a database instance with SYS AS SYSDBA. I tried to change the password directly using a bequeath connection and got the following error:
SQL> alter user sys identified by "****************"; alter user sys identified by "****************" * ERROR at line 1: ORA-28017: The password file is in the legacy format.
Error Description
The Oracle error lookup tool, oerr ora 28017, shows:
28017, 00000, "The password file is in the legacy format."
// *Cause: There are multiple possibilities for the cause of the error:
//
// * An attempt was made to grant SYSBACKUP, SYSDG or SYSKM.
// * These administrative privileges could not be granted unless
// the password file used a newer format ("12" or higher).
// * An attempt was made to grant a privilege to a user who
// has a large password hash which cannot be stored in
// the password file unless the password file uses a newer
// format ("12" or higher).
// * An attempt was made to grant or revoke a common administrative
// privilege in a CDB
// *Action: Regenerate the password file in the newer format ("12" or higher).
// Use the newer password file format ("12" or higher) if you need to
// grant a user the SYSBACKUP, SYSDG or SYSKM administrative
// privileges, or if you need to grant a privilege to a user
// who has a large password hash value.
//
Investigation
I found the following Oracle Support document:
As advised in Doc ID 2112456.1, I used the following command to examine the password file:
orapwd describe file=${ORACLE_HOME}/dbs/orapw${ORACLE_SID}
The result was:
Password file Description : format=LEGACY ignorecase=N
Remediation
Instead of migrating the password, I just overwrote it with desired password values:
orapwd file=${ORACLE_HOME}/dbs/orapw${ORACLE_SID} force=
I verified the result as follows:
orapwd describe file=${ORACLE_HOME}/dbs/orapw${ORACLE_SID}
The result was:
Password file Description : format=12 ignorecase=N
Note
This problem only affects databases with compatible=’12.1.0′ or higher. Leaving the compatible parameter at 11.2 does not cause a problem with the password file.
Yet Another OCM 