SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


What is the default sa password?


What is the default sa password?

Author
Message
keymoo
keymoo
SSC Veteran
SSC Veteran (287 reputation)SSC Veteran (287 reputation)SSC Veteran (287 reputation)SSC Veteran (287 reputation)SSC Veteran (287 reputation)SSC Veteran (287 reputation)SSC Veteran (287 reputation)SSC Veteran (287 reputation)

Group: General Forum Members
Points: 287 Visits: 541
If I install an instance with Windows Only authentication, and then change it to Mixed Mode, if I enable the sa login, the password has already been set. What is the default? If it's generated, how secure is it? Is the password generated? What algorithm is used for that?



Keith Tate
Keith Tate
Ten Centuries
Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)

Group: General Forum Members
Points: 1022 Visits: 979
When you change modes the sa password is still disabled. Here read this article:http://technet.microsoft.com/en-us/library/ms188670.aspx
If Windows Authentication mode is selected during installation, the sa login is disabled and a password is assigned by setup. If you later change authentication mode to SQL Server and Windows Authentication mode, the sa login remains disabled. To use the sa login, use the ALTER LOGIN statement to enable the sa login and assign a new password. The sa login can only connect to the server by using SQL Server Authentication.




Microsoft Certified Master - SQL Server 2008
Follow me on twitter: @keith_tate

Forum Etiquette: How to post data/code on a forum to get the best help
keymoo
keymoo
SSC Veteran
SSC Veteran (287 reputation)SSC Veteran (287 reputation)SSC Veteran (287 reputation)SSC Veteran (287 reputation)SSC Veteran (287 reputation)SSC Veteran (287 reputation)SSC Veteran (287 reputation)SSC Veteran (287 reputation)

Group: General Forum Members
Points: 287 Visits: 541
Thanks Keith I know that. I'm wondering how the password is generated. i.e. is it secure enough? I'm wondering if I have to set my own "good" password for security reasons. I'm trying to make a security assessment.



Keith Tate
Keith Tate
Ten Centuries
Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)

Group: General Forum Members
Points: 1022 Visits: 979
I would say that if you don't need to use the SA account leave it disabled. If you need it make your own password that is secure enough. The one generated by setup doesn't really come into play since it is disabled at first (because you picked Windows during start up) and it is still disabled after you changed authentication.



Microsoft Certified Master - SQL Server 2008
Follow me on twitter: @keith_tate

Forum Etiquette: How to post data/code on a forum to get the best help
Jeff Moden
Jeff Moden
SSC Guru
SSC Guru (85K reputation)SSC Guru (85K reputation)SSC Guru (85K reputation)SSC Guru (85K reputation)SSC Guru (85K reputation)SSC Guru (85K reputation)SSC Guru (85K reputation)SSC Guru (85K reputation)

Group: General Forum Members
Points: 85551 Visits: 41082
keymoo (1/13/2014)
If I install an instance with Windows Only authentication, and then change it to Mixed Mode, if I enable the sa login, the password has already been set. What is the default? If it's generated, how secure is it? Is the password generated? What algorithm is used for that?


Unless someone changed it, the SA password is the one used when SQL Server was installed.

--Jeff Moden

RBAR is pronounced ree-bar and is a Modenism for Row-By-Agonizing-Row.
First step towards the paradigm shift of writing Set Based code:
Stop thinking about what you want to do to a row... think, instead, of what you want to do to a column.
If you think its expensive to hire a professional to do the job, wait until you hire an amateur. -- Red Adair

Helpful Links:
How to post code problems
How to post performance problems
Forum FAQs
paul.knibbs
paul.knibbs
SSCrazy
SSCrazy (2.5K reputation)SSCrazy (2.5K reputation)SSCrazy (2.5K reputation)SSCrazy (2.5K reputation)SSCrazy (2.5K reputation)SSCrazy (2.5K reputation)SSCrazy (2.5K reputation)SSCrazy (2.5K reputation)

Group: General Forum Members
Points: 2523 Visits: 6232
Jeff Moden (1/13/2014)
[quote]
Unless someone changed it, the SA password is the one used when SQL Server was installed.


But you're not asked to specify an SA password during setup if you select Windows authentication, are you? Unsure
keymoo
keymoo
SSC Veteran
SSC Veteran (287 reputation)SSC Veteran (287 reputation)SSC Veteran (287 reputation)SSC Veteran (287 reputation)SSC Veteran (287 reputation)SSC Veteran (287 reputation)SSC Veteran (287 reputation)SSC Veteran (287 reputation)

Group: General Forum Members
Points: 287 Visits: 541
paul.knibbs (1/14/2014)
Jeff Moden (1/13/2014)
[quote]
Unless someone changed it, the SA password is the one used when SQL Server was installed.


But you're not asked to specify an SA password during setup if you select Windows authentication, are you? Unsure


Exactly, I know the risk is small, but if the instance was placed in Mixed Mode and the sa account enabled (by mistake, or a script, or something), how secure is the password? Is it easy to reverse? Is it as secure as a SHA-256 one way hash function? Am I worrying unnecessarily about vanishingly small probabilities of edge cases?



patricklambin
patricklambin
Hall of Fame
Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)

Group: General Forum Members
Points: 3842 Visits: 1241
When during the install of a new SQL server instance you choose the Windows authentication , the sa login is disabled and set to an empty string.
So when you change the authentication from Windows to SQL Server , you have to enabled the sa login , but the password is set to an empty string. I tested it with SQL Server 2008, 2008 R2 and 2012.
If during the install , you choose the SQL Server ( or Mixed ) authentication , you have to provide a not empty string ( a good novelty in 2012 ) . When you change the authentication from mixed to Windows , the sa login is "disabled" but the password is kept. So , if later on , you change the authentication from Windows to mixed , the original value ( set to the install ) is always useable.
Jeff Moden
Jeff Moden
SSC Guru
SSC Guru (85K reputation)SSC Guru (85K reputation)SSC Guru (85K reputation)SSC Guru (85K reputation)SSC Guru (85K reputation)SSC Guru (85K reputation)SSC Guru (85K reputation)SSC Guru (85K reputation)

Group: General Forum Members
Points: 85551 Visits: 41082
keymoo (1/14/2014)
paul.knibbs (1/14/2014)
Jeff Moden (1/13/2014)
[quote]
Unless someone changed it, the SA password is the one used when SQL Server was installed.


But you're not asked to specify an SA password during setup if you select Windows authentication, are you? Unsure


Exactly, I know the risk is small, but if the instance was placed in Mixed Mode and the sa account enabled (by mistake, or a script, or something), how secure is the password? Is it easy to reverse? Is it as secure as a SHA-256 one way hash function? Am I worrying unnecessarily about vanishingly small probabilities of edge cases?


It's been a while since I've had to do an install so I could certainly be wrong but I'm pretty sure it always asks you for an SA password. To be sure, though, I'd always worry about the SA password and disable the SA account even after giving it a good, strong password and storing it in a safe somewhere.

--Jeff Moden

RBAR is pronounced ree-bar and is a Modenism for Row-By-Agonizing-Row.
First step towards the paradigm shift of writing Set Based code:
Stop thinking about what you want to do to a row... think, instead, of what you want to do to a column.
If you think its expensive to hire a professional to do the job, wait until you hire an amateur. -- Red Adair

Helpful Links:
How to post code problems
How to post performance problems
Forum FAQs
Keith Tate
Keith Tate
Ten Centuries
Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)

Group: General Forum Members
Points: 1022 Visits: 979
I'm not sure what is being asked now? There is no default password that I know of for every instance. I'm also not sure how strong the password is that is supplied during setup (with Windows only), but why do we care at this point? The advice is to create your own strong password for sa and disable the account if it is not being used.

Is there something I'm missing?



Microsoft Certified Master - SQL Server 2008
Follow me on twitter: @keith_tate

Forum Etiquette: How to post data/code on a forum to get the best help
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search