Here is some code for generating a nice 128 character SA password; have fun:
set
declare
@password varchar
@char
@charindex
@loop
/* Unallowed characters:
! = 33
( = 40
) = 41
, = 40
* = 42
; = 59
? = 63
@ = 64
[ = 91
] = 93
{ = 123
} = 125
*/
select
while
begin
end
-- while @counter < 64 -- use this for app role passwords
Nice article. We only use SA for database ownership and sometimes for SQL Job
ownership. It is never used for connecting to the server because no one knows what
the password is. We use a simpler routine to generate a random 72 character value
for it.
DECLARE @pwd char(72)SELECT @pwd=convert(char(36),newid())+convert(char(36),newid())EXECUTE master..sp_password null,@pwd,'sa'
DECLARE @pwd char(72)
SELECT @pwd=convert(char(36),newid())+convert(char(36),newid())
EXECUTE master..sp_password null,@pwd,'sa'
Sample value:
0A8A24E8-A728-4DCF-B561-179511138895AAB9C183-BC26-49B3-BDC5-009AFFA5B83B
You are right about SQL ids not going away. Many developed and purchased applications
use them for simplicity and to reuse execution plan
"Only query plans with the same user ID are candidates for reuse." See http://www.microsoft.com/technet/prodtechnol/sql/2005/recomp.mspx
There are times when we DBA's need to use a SQL id.
To accomplish this we still don't use SA, instead we have a SQL Id with system
administration authority and assign it a complex password.
Thanks for giving me the opportunity to spout off about not using SA and having to
use mix mode
The problem is that most basic bundled software packages REQUIRE 'sa' to be used to do upgrades that I know of. It is very sad that software companies utilize 'sa' because it is just easier to use the 'god' right ID. Once I attempted to create an ID, assign it 'sa' rights for a temporary ID for one of these software apps we have to do an install/upgrade. It never worked correctly. I could not figure out why, so I changed the 'sa' password, we did the upgrade and I changed it back. Odd, very odd.
Some of the software vendors that come on-site here to install a new SQL Server based app want 'sa' password to be a word or sa... I over ride that and they want the user account password to be the same as the login or a simple word.... I override that idea too. A couple have come on-site to install and with that thought process and are not happy that I require a more difficult password as the application is already setup for a specific ID and password.... jeesh....
Thanks. Always good to read articles about security.
In our case we have a strong password for the sa account. To keep track of all the DBA activities we use for several DBA's a personal administrator account.
Only Windows authentication is not an option for us. The database administrators rights are of less concern than all the users being capable of login in with or without Windows authentication with a lot of tools other than the application where the database in the first place is used for.
We have build our own software with a built-in password scrambler. So the password you use to connect to the database is different from the one you type in at connect time. That's our solution to keep all those end users out of the database. So in no way Windows authentication for us!
