MS SQL Server 2012 - DBA Articles

SQL Server - Password Policy

04. SQL Server - Password Policy

SQL Server can use Windows password policy mechanisms. The password policy applies to a login that uses SQL Server authentication, and to a contained database user with password.

SQL Server can apply the same complexity and expiration policies used in Windows to passwords used inside SQL Server.

Password Complexity

Password complexity policies are designed to deter brute force attacks by increasing the number of possible passwords. When password complexity policy is enforced, new passwords must meet the following guidelines:

    01. The password does not contain the account name of the user.
    02. The password is at least eight characters long.
    03. The password contains characters from three of the following four categories:
          01. Latin uppercase letters (A through Z)
          02. Latin lowercase letters (a through z)
          03. Base 10 digits (0 through 9)
          04. Non-alphanumeric characters such as: exclamation point (!), dollar sign ($), number sign (#), or percent (%).

Passwords can be up to 128 characters long. You should use passwords that are as long and complex as possible.

Password Expiration

Password expiration policies are used to manage the lifespan of a password. When SQL Server enforces password expiration policy, users are reminded to change old passwords, and accounts that have expired passwords are disabled.

Strong Passwords

Passwords can be the weakest link in a server security deployment. You should always take great care when you select a password. A strong password has the following characteristics:

01. Is at least 8 characters long.
02. Combines letters, numbers, and symbol characters within the password.
03. Is not found in a dictionary.
04. Is not the name of a command.
05. Is not the name of a person.
06. Is not the name of a user.
07. Is not the name of a computer.
08. Is changed regularly.
09. Is significantly different from previous passwords.

Microsoft SQL Server passwords can contain up to 128 characters, including letters, symbols, and digits.

More Reference URL:

* * * * *

Email Your Comment To AUTHOR