Password Guidance

I remember working at a large organization with a team of other IT Operations staffers. We rotated this one job every month amongst a few people, each taking turns, where we'd lose a day to update all the privileged passwords for our servers. This was before Managed Service Accounts and the cloud, when we were required to change these every 30 days and then store the new ones in an encrypted store.

What struck me when I got stuck with this wasn't the requirement to change every 30 days; that seemed normal. The thing that bothered me was how manual this was. As a former developer, I wrote some scripts to automated this, pre-PowerShell, and make the task easier on my fellow sys admins. I had scripts to generate a password, change it in AD, then print the pwd to be copied into our secure storage (no API there). This ran in a loop so I didn't lose a whole day to changing password.

These days, we have lots of alternatives to managing passwords, and in fact, much of modern guidance isn't to require password changes so often. For systems, use an automated process such as an MSA or GMSA. For users, we've mostly given up on changes and are trying to get people to use decently long passwords and disparate ones across services.

Modern guidance from Microsoft says to avoid using common passwords (asdfasdf, password1, ec.) and don't use the same password in multiple places. MFA is also recommended, but the anti-patterns for success are requiring long, complex passwords or frequent changes. Studies show these lead to less security because users do stupid things.

These days, I would guess many of you managing database systems use some sort of integrated security with AD, Entra, OAuth, etc. However, I know there are still places where passwords are in use. Do you require changes often? Do you change any of your passwords regularly?

Security is always hard, and it's even harder when the recommendations and rules aren't consistent or even enforced. I don't know what to do, but I try to use disparate, long passwords and MFA wherever I can. So far that's worked well.

Spread the Word about Basic Security

by Steve Jones

SQLServerCentral.com

Security

This week we have a few back to the basics security comments from Steve.

★ ★ ★ ★ ★ ★ ★ ★ ★ ★

5 (2)

You rated this post out of 5. Change rating

2019-06-25

432 reads

Discuss

A Double Failure

by Steve Jones

SQLServerCentral

Security

A company has both a server without a password and live data in test environments. Not a good situation.

★ ★ ★ ★ ★ ★ ★ ★ ★ ★

5 (2)

You rated this post out of 5. Change rating

2019-05-07

364 reads

Discuss

Azure SQL Database User

by Steve Jones

SQLServerCentral

★ ★ ★ ★ ★ ★ ★ ★ ★ ★

5 (1)

You rated this post out of 5. Change rating

2019-04-29

732 reads

Discuss

Stop a Login

by Steve Jones

SQLServerCentral

★ ★ ★ ★ ★ ★ ★ ★ ★ ★

You rated this post out of 5. Change rating

2019-04-22

1,057 reads

Discuss

Securing Code Early

by Steve Jones

SQLServerCentral

Last year I started to get alerts from Microsoft Repos that someone had put a piece of security information in their code that pertained to one of my Azure services. At first I was worried, but then I realized this was the public version of AdventureWorks we maintain in Azure. We've published the login so […]

★ ★ ★ ★ ★ ★ ★ ★ ★ ★

You rated this post out of 5. Change rating

2019-04-17

202 reads

Discuss

Password Guidance

Rate

Share

Categories

Share

Rate

Password Guidance

Rate

Share

Categories

Share

Rate

Related content

Spread the Word about Basic Security

A Double Failure

Azure SQL Database User

Stop a Login

Securing Code Early