Changing SQL Server Passwords

  • Comments posted to this topic are about the content posted at

  • To my knowledge a strong password, which is proteced against even freeware password breaker software should be at least 15 characters long and actually there is not much advantage if uppercase and lowercase characters are mixed with special characters in pw:s. So I think this should be mentioned currently every time passwords are an issue.

  • Why not use NT Authentication?

    That would let you use all the current enterprise tools for maintaining and controlling passwords (such as expiration, min length, etc).

    Yes, you need to manage the passwords that unattended applications use (user applications can just login as the user), but you'd have to do that anyway with SQLAuth.

    Jtango brings up a good point -- it's much better to use a long pass-phrase (or even sentence) than a short one.  If your password is < 14 letters, there is the chance that windows will accept a NTLM hash (which is completely dicionaried; given the hash [the part that is sent over the network], they can just look-up a valid password for that hash).  Though I'm not sure what effect the "word<sp>word<sp>word" pattern or the generally low-entropy-per-length has on the hash value.

  • Not all users of SQL Server, that use SQL Server Authentication have Query Analyzer installed on there desktop.  The kind of users I am referring to our the ones that typically use applications only from an end-user perspective.

    Now, if you are using SQL Server Authentication for end-users, and you do feel strongly about requiring the users to do the following you might consider this. 


    1) Build a web front end that executes a stored procedure that allows users to change there password.  The stored procedure would be the one executing sp_password. This stored procedure would also log into a password change table every time the user changed there password.  This stored procedure can also enforce your strong password requirements.

    2) Every time someone goes through your application to logon to SQL Server you check the password change table to see when they last changed their password.  If they haven't change it in say 90 days (your threshold for when a user need to change their password) then you bring up the password change web page and make them change there password before they get into the system.


    Gregory A. Larsen, MVP

  • hi all,

    While one can change the password from enterprise manger why is it that the password is not retain and system reset it to some default value.

    I have changed the sa password through osql utility but the same steps failed when i changed the the user i have created since the password gets reset by the system.

  • It's not clear what you are asking or what you did. Please provide more details about what happened, and what commands you ran.

  • Change SQL Server Password by Windows Authentication

    If Builtin/Administrator is present in SQL Server, you can login with an ID which is member of Administrators group and change sa password in SQL Server. Just do as follows:

    1. Login into SQL server using Windows Authentication.

    2. In Object Explorer, open Security folder, open Logins folder. Right Click on sa account and go to Properties.

    3. Type a new SQL sa password, and confirm it. Click OK to finish.

    After restarting SQL Server and all its servers, you can log into SQL Server by sa login with new SQL sa password.

  • Can you please provide the step to create web application

  • Can you please provide the step to create web front end

  • Here is another way to change SQL Server password: Open the SQL Server Management Studio.Open a New Query.Copy, paste, and execute the following:




    USE [master]




    where NewPassword is the password you wish to use for the sa account.

Viewing 10 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic. Login to reply