Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 

The Voice of the DBA

Steve Jones is the editor of SQLServerCentral.com and visits a wide variety of data related topics in his daily editorial. Steve has spent years working as a DBA and general purpose Windows administrator, primarily working with SQL Server since it was ported from Sybase in 1990. You can follow Steve on Twitter at twitter.com/way0utwest

SQL Authentication – Forcing Password Changes

When you create a SQL Server login (with SQL authentication), you have the option of enforcing password policies from Windows (in SQL Server 2005 and above).

chagepwd3

The recommendation is that you check all three and force strong passwords. You also force a password change so the person has a private password not known by the administrator.

If you go back into this account later, and look at the boxes, only 2 are available to be checked. The “User must change password at next login” is grated out.

chagepwd1

In order to access this box and force a password change, you need to change the password. The reason is that if the account is compromised, the hacker should not be the one to set a new password. The security model assumes the administrator can contact the legitimate owner offline and give them the new password.

Start typing in the password box, and you can check the box:

chagepwd2

Of course you need to set a password that conforms to the policies, and it needs to match the confirm edit box Winking smile


Filed under: Blog Tagged: security, sql server, syndicated

Comments

No comments.

Leave a Comment

Please register or log in to leave a comment.