I thought this article on Best Buy PC setup was amusing. Here's a company that's trying to provide a service. They're offering to set up most of your new machine for you. To make sure that things work right away for you, they ask you to provide your password, so they can set a login password to your Windows/Mac. However the form has password below email, which might imply they will set up your email as well. That's something I know many non-technical people might appreciate.
Consumers probably think this is a good idea. Computer gets set up for them, and they pick a password. Technical people cringe. Password written down, given to stranger, stored by large company. What could go wrong? You can guess, or read the comments in the article.
As DBAs, I am sure many of us have to deal with SQL authenticated user accounts. The recommendation is for Windows authentication, but there have been exceptions for various reasons at almost every company where I have worked. This Friday, I'm curious how you deal with a similar situation.
How do you decide on a SQL login password for a user and get it to them?
This is a process question, asking how you pick a password, and how you send it to the user. I assume most of you check the "user must change password" box, but if not, let us know.
For systems where a password must be coded, I'd pick a long, hard to remember password, keep it in a safe location with other administrator passwords (something like Password Safe) and either type it in for an application or give it on paper to the developer/admin long enough to type it in before taking the paper back and destroying it. If it's a user, I've often built separate passphrases for each user, customized to something I know about them, and forced them to change their password.
Password security is hard, and complex, but so many administrators make it worse with constant, easy passwords they give to users. The password you choose sets an example, and "12345" or "asdf" are bad examples.
The Voice of the DBA Podcasts
We publish three versions of the podcast each day for you to enjoy.
The podcast feeds are available at sqlservercentral.mevio.com. You can also follow Steve Jones on Twitter:
Today's podcast features music by Everyday Jones. No relation, but I stumbled on to them and really like the music. Support this great duo at www.everydayjones.com. They have a great version of Message in a Bottle if you want to check it out.
I really appreciate and value feedback on the podcasts. Let us know what you like, don't like, or even send in ideas for the show. If you'd like to comment, post something here. The boss will be sure to read it.