April 5, 2012 at 9:13 am
Syslogin table stores login name and password.
Is there any history table which saves the password a user had past three times.
Unfortunately my Java Application uses sql login for each users and I have to implement password policy.Since we do not store userid and password in a table and we try to connect for each user using the sql login and password.
I update the syslogin table when ever user changes the password.
Now ,I want user should not enter any password he used last three times.
If there is a history maintened somewhere about sql logins in syslogins table ,I will be able to do that.
Please help.
Thanks,
April 5, 2012 at 9:32 am
Syslogin is not a real table. Just want to make that clear before we go forward. It doesn't affect anything, but if you're talking SQL Server 2005, you should be using the catalog view sys.sql_logins.
SQL Server doesn't store passwords. It stores hashes of passwords. A hash is generated from a one way function, meaning you can't take the hash and get back the original password. What it is storing for history, at least since SQL Server 2005, are hashes of the old passwords.
Therefore, if you're trying to avoid using the old passwords, you will have to come up with some other means of tracking them. A better solution is to use a password generator each time you have to change the password.
K. Brian Kelley
@kbriankelley
April 5, 2012 at 9:33 am
Also, SQL Server 2005 and above will honor the password policies that the OS has. It can't set its own. You can configure a SQL login to use these password policies by setting password policy enforcement on.
K. Brian Kelley
@kbriankelley
April 5, 2012 at 12:08 pm
Thanks for the reply.
Because of lack of time ,we want to implement this password thing quickly and for this what currently application does is each time user changes passwords from the application change password screen ,it updates syslogin table with new password and updatedate.
So Similarly if anywhere in the database we store all passowrds used anytime in any system table ,I can get the passwords and see if its used in previous 3 times but I think as you said password is stored in hashes in syslogin and its not possible to compare it .
Making a password generator will require a table where I store userid and password which I dont have right now.
So I assume there is no way we can maintain history of passwords considering my current scenarion.
April 5, 2012 at 12:15 pm
If your Windows domain already blocks re-use of the last three passwords, simply enable password policy enforcement on the logins. You'll accomplish the same thing without having to build anything. More here:
How to configure password enforcement options for standard SQL Server logins[/url]
K. Brian Kelley
@kbriankelley
April 6, 2012 at 8:53 am
Thanks for the reply.Is it actually windows domain rules or SQl server own rules.Since I am using SQL logins and all users in application have their sql logins so if they try to connect ,I can make changes in the application to let user change the password when SQL says password has expired but What I am concern is will it prompt users to change passowrd after what duration and for testing can I change this time.
Thanks Once again.Your suggestions really helps
Viewing 6 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply