A password can be specified as part of the user definition. The usage of the user password depends on whether DBMS authentication is enabled.

If DBMS authentication is enabled, the user name and password supplied by the connection attempt must match the user name and password defined in the user definition. If no password is supplied by the connecting application, the connection attempt fails.

If DBMS authentication is not enabled, the DBMS password operates as a second level of password after the initial connection is established (using the configured GCF security mechanism, such as authentication against an OS user and password). In this case, the application sends the DBMS password in the clear, after the connection is established. If the application does not provide a DBMS password, the DBMS server asks the client to prompt for one; if prompting is impossible, the connection attempt fails.

A user with the CHANGE_PASSWORD privilege is permitted to change their own password; to do so, however, they must supply their old password. A user with the maintain_users privilege can change the password of another user in addition to changing the method of password validation or removing the password.