If you hold a key copy encrypted by a login password on one or more keys, you need not modify the key copies after you change your login password. alter login decrypts your key copies with your old login password and reencrypts them using the new login password.
If the SSO uses alter login to change your password, alter login drops your key copies. This prevents an administrator from gaining access to a key through a known password. After a mandatory password change of this kind, the key custodian must use alter encryption key to add a key copy for login_association for the user whose password is changed. alter login ignores offline databases and, for keys stored in offline databases, the key custodian follows the steps for recovering a lost key copy password when the database comes back online.
The key custodian may also need to perform these steps when a user’s password is changed after the server is started using the -p flag. If the SSO, who uses the -p flag also has access to keys through key copies encrypted with his or her login password, then the key custodian must drop and re-create the SSO’s key copies.