Recently, I found a great Oracle Database 21c feature: Gradual Password Rollover. Here is the best part: it was backported to Database 19c.

This database trait that only middleware administrators or DevOps engineers could really appreciate. For Oracle Fusion Middleware installations, a database password change is a carefully choreographed effort that still could hit your error budget. By introducing the feature, Oracle eliminates all risks associated with database password rotation.

Besides the compatible database version, your accounts should have a profile. I hope you have them already to keep other security controls in check.

-- Enable password rollover for profile for 24 hours
ALTER PROFILE ofmw_accounts 

-- Change the user password with the profile ofmw_accounts
      IDENTIFIED BY my-new-and-log-password;

After the password change, old and new passwords would co-exist for the next forty-eight hours. Which allows your middleware administrators to update database connections without any downtime. Rollover window sets in days, but you can use fractions. For example, value 1/2 means that you have 12 hours until an old password disappears.

You can not set a rollover window longer than 60 days or set it larger than the expiration grace time or the password lifetime. The graceful rollover window should be the smallest one.

Finally, to disable this feature, update an account profile and set it back to default. It is the same as setting it to 0.

--- Disable password rollover 
ALTER PROFILE ofmw_accounts