Script to validate user input for password change

,

For SQL Server in Mixed Authentication mode this
stored procedure helps to validate users password. Currently this procedure checks for the next requrements: password must have length at least 8 characters plus among them at least one digit and at least one of the characters must be in upper case.

/***************************************************************************
	Script to validate user input for password change

	Based on original Microsoft SQl Server stored procedure sp_password
	with modifications.

	For SQL Server in Mixed Authentication mode this stored procedure 
	will help to control modifications of users passwords. 

	Currently procedure checks for next requrements: 
	password must have length at least 8 characters plus among them 
	at least one digit and at least one of the characters must be in upper case.

	D.Bobkov
	March 11, 2003

****************************************************************************/

use master

if exists (select * from dbo.sysobjects where id = object_id(N'[dbo].[sp_password]') 
and OBJECTPROPERTY(id, N'IsProcedure') = 1)
	drop procedure [dbo].[sp_password]
GO

create procedure sp_password
    @old sysname = NULL,        -- the old (current) password
    @new sysname,               -- the new password
    @loginame sysname = NULL    -- user to change password on
as
    -- SETUP RUNTIME OPTIONS / DECLARE VARIABLES --
	set nocount on
	declare @self int
    	select @self = CASE WHEN @loginame is null THEN 1 ELSE 0 END

    -- CHECK PERMISSIONS --
	IF (not is_srvrolemember('sysadmin') = 1)
        AND not @self = 1
	begin
	   raiserror(15210,-1,-1)
	   return (1)
	end

    -- DISALLOW USER TRANSACTION --
	set implicit_transactions off
	IF (@@trancount > 0)
	begin
		raiserror(15002,-1,-1,'sp_password')
		return (1)
	end

    -- RESOLVE LOGIN NAME (disallows nt names)
    if @loginame is null
        select @loginame = suser_sname()
    if not exists (select * from master.dbo.syslogins where
                    loginname = @loginame and isntname = 0)
	begin
		raiserror(15007,-1,-1,@loginame)
		return (1)
	end

    -- CHECK OLD PASSWORD IF NEEDED --
    if (@self = 1 or @old is not null)
        if not exists (select * from master.dbo.sysxlogins
                        where srvid IS NULL and
						      name = @loginame and
			                  ( (@old is null and password is null) or
                              (pwdcompare(@old, password, (CASE WHEN xstatus&2048 = 2048 THEN 1 ELSE 0 END)) = 1) )   )
        begin
		    raiserror(15211,-1,-1)
		    return (1)
	    end
	--=========================================================================================
    -- D.Bobkov - change for VALIDATE USER INPUT ===============================================
    -- as example using: minimum length - 8 char, minimum 1 number and minimum 1 capital letter in it...
    -- Perform comparision of @new
	declare @NumPos int
	declare @CapsPos int
	declare @position int
	declare @CharValue int

	SET @position = 1
	SET @NumPos = 0
	SET @CapsPos = 0

	WHILE @position <= DATALENGTH(@new)
	   BEGIN
		SET @CharValue = ASCII(SUBSTRING(@new, @position, 1))
		IF ( @CharValue > 47 AND @CharValue < 58)
			SET @NumPos = @NumPos + 1
		ELSE IF ( @CharValue > 64 AND @CharValue < 91)
			SET @CapsPos = @CapsPos + 1
	   	SET @position = @position + 1
	   END
	IF DATALENGTH(CAST(@new AS varchar(20))) < 8 
	begin
		raiserror('Password length is less than 8 chars', 16, 1)
		return (1)
	end

	IF @NumPos < 1
	begin
		raiserror('Password must have at least one digit', 16, 1) 
		return (1)
	end
	
	IF @CapsPos < 1 
	begin
		raiserror('Password must have at least one cahracter in upper case', 16, 1)
		return (1)
	end
    -- END OF D.Bobkov change ===================================================================
	--=========================================================================================
    -- CHANGE THE PASSWORD --
    update master.dbo.sysxlogins 
	set password = convert(varbinary(256), pwdencrypt(@new)), xdate2 = getdate(), xstatus = xstatus & (~2048)
	where name = @loginame and srvid IS NULL

    -- FINALIZATION: RETURN SUCCESS/FAILURE --
	if @@error <> 0
        return (1)
    raiserror(15478,-1,-1)
	return  (0)	-- sp_password

GO

Rate

Share

Share

Rate