Technical Article

Script to validate user input for password change

,

For SQL Server in Mixed Authentication mode this
stored procedure helps to validate users password. Currently this procedure checks for the next requrements: password must have length at least 8 characters plus among them at least one digit and at least one of the characters must be in upper case.

/***************************************************************************
Script to validate user input for password change

Based on original Microsoft SQl Server stored procedure sp_password
with modifications.

For SQL Server in Mixed Authentication mode this stored procedure 
will help to control modifications of users passwords. 

Currently procedure checks for next requrements: 
password must have length at least 8 characters plus among them 
at least one digit and at least one of the characters must be in upper case.

D.Bobkov
March 11, 2003

****************************************************************************/
use master

if exists (select * from dbo.sysobjects where id = object_id(N'[dbo].[sp_password]') 
and OBJECTPROPERTY(id, N'IsProcedure') = 1)
drop procedure [dbo].[sp_password]
GO

create procedure sp_password
    @old sysname = NULL,        -- the old (current) password
    @new sysname,               -- the new password
    @loginame sysname = NULL    -- user to change password on
as
    -- SETUP RUNTIME OPTIONS / DECLARE VARIABLES --
set nocount on
declare @self int
    select @self = CASE WHEN @loginame is null THEN 1 ELSE 0 END

    -- CHECK PERMISSIONS --
IF (not is_srvrolemember('sysadmin') = 1)
        AND not @self = 1
begin
   raiserror(15210,-1,-1)
   return (1)
end

    -- DISALLOW USER TRANSACTION --
set implicit_transactions off
IF (@@trancount > 0)
begin
raiserror(15002,-1,-1,'sp_password')
return (1)
end

    -- RESOLVE LOGIN NAME (disallows nt names)
    if @loginame is null
        select @loginame = suser_sname()
    if not exists (select * from master.dbo.syslogins where
                    loginname = @loginame and isntname = 0)
begin
raiserror(15007,-1,-1,@loginame)
return (1)
end

    -- CHECK OLD PASSWORD IF NEEDED --
    if (@self = 1 or @old is not null)
        if not exists (select * from master.dbo.sysxlogins
                        where srvid IS NULL and
      name = @loginame and
                  ( (@old is null and password is null) or
                              (pwdcompare(@old, password, (CASE WHEN xstatus&2048 = 2048 THEN 1 ELSE 0 END)) = 1) )   )
        begin
    raiserror(15211,-1,-1)
    return (1)
    end
--=========================================================================================
    -- D.Bobkov - change for VALIDATE USER INPUT ===============================================
    -- as example using: minimum length - 8 char, minimum 1 number and minimum 1 capital letter in it...
    -- Perform comparision of @new
declare @NumPos int
declare @CapsPos int
declare @position int
declare @CharValue int

SET @position = 1
SET @NumPos = 0
SET @CapsPos = 0

WHILE @position <= DATALENGTH(@new)
   BEGIN
SET @CharValue = ASCII(SUBSTRING(@new, @position, 1))
IF ( @CharValue > 47 AND @CharValue < 58)
SET @NumPos = @NumPos + 1
ELSE IF ( @CharValue > 64 AND @CharValue < 91)
SET @CapsPos = @CapsPos + 1
   SET @position = @position + 1
   END
IF DATALENGTH(CAST(@new AS varchar(20))) < 8 
begin
raiserror('Password length is less than 8 chars', 16, 1)
return (1)
end

IF @NumPos < 1
begin
raiserror('Password must have at least one digit', 16, 1) 
return (1)
end

IF @CapsPos < 1 
begin
raiserror('Password must have at least one cahracter in upper case', 16, 1)
return (1)
end
    -- END OF D.Bobkov change ===================================================================
--=========================================================================================
    -- CHANGE THE PASSWORD --
    update master.dbo.sysxlogins 
set password = convert(varbinary(256), pwdencrypt(@new)), xdate2 = getdate(), xstatus = xstatus & (~2048)
where name = @loginame and srvid IS NULL

    -- FINALIZATION: RETURN SUCCESS/FAILURE --
if @@error <> 0
        return (1)
    raiserror(15478,-1,-1)
return  (0)-- sp_password

GO

Rate

Share

Share

Rate