Force Password Changes

  • Anyone know if there is a good way to detect and report on password changes? Like to check and force people to change them every xx days.

    I found there is an xdate2 column in sysxlogins that should be the login record update date/time.

    Any other suggestions?

    Steve Jones

    sjones@sqlservercentral.com

    http://www.sqlservercentral.com/columnists/sjones

  • How about simply modifying sp_password? You could insert logic to keep track of when a login's password was changed in a separate table. Then have a job run nightly that picks up passwords not changed after X days.

    K. Brian Kelley

    http://www.truthsolutions.com/

    Author: Start to Finish Guide to SQL Server Performance Monitoring

    http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1

    K. Brian Kelley
    @kbriankelley

  • If you provide people an ASP form to change their password, then you could log the date they last changed there password. This form could also allow you to make sure they used hardened passwords, so passwords contained special characters, where so long, etc. Although the drawback of this is someone might be able to use the ASP form, and underlining SP to capture passwords.

    Gregory Larsen, DBA

    If you looking for SQL Server Examples check out my website at http://www.geocities.com/sqlserverexamples

    Gregory A. Larsen, MVP

  • Hey just thought of another way. You could capture the encrypted password, and then daily check to see if the encrypted password changed. Once it changed, you would know when it changed. If the encrypted password did not change for more than xx days then you could notify the user to change there password.

    Gregory Larsen, DBA

    If you looking for SQL Server Examples check out my website at http://www.geocities.com/sqlserverexamples

    Gregory A. Larsen, MVP

  • From the technet webcast today... the Moderator (Jean-Claude armand) indicated they are trying to put into the next version of SQL Server a password expiration policy. Cross your fingers.

    K. Brian Kelley

    http://www.truthsolutions.com/

    Author: Start to Finish Guide to SQL Server Performance Monitoring

    http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1

    K. Brian Kelley
    @kbriankelley

  • That will be nice. Another thought I had based on another thread is if you are using SQL 2000 you can create a table to store BINARY_CHECKSUM values for each users password, a date and there uid. Then once a day at midnight you have a job that compares the checksums, if different update the checksum value stored and the date. If the same check the date and if 90days, send an email giving a few days to change (of course you need a utility for this). Then say if they don't meet the deadline change the password to something random even you don't know and then they will have to get help chnaging.

    Anyone got anything similar to BINARY_CHECKSUM I may have overlooked in SQL 7. I do not like the idea of storing the password in another location, creates additional risk. Probably could build from checksum but seems would be more effort than worth.

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic. Login to reply