Re: SQL Server 2005 password policy

Thanks for your response, Roger.

Empirically, the "default" SQL 2005 password complexity policy on XP seems
to be weak. For example, it accepts a 3 letter password for 'sa', even when
I select "Enforce Password Complexity". It didn't let me use the account
name however. I searched Books Online exhaustively and found descriptions of
password policies, but none as weak as this. Point is, apparently the docs
are describing a policy as enforced by the Server OS. The closest I came to
finding something that states that SQL 2005 has it's own mechanism was under
the Authentication topic. It says if Mixed (vs Windows) auth is selected,
all SQL accounts must use strong passwords.. but it didn't define "strong".
So it appears that SQL 2005 (on XP) does enforce a password complexity
policy by default, but a very weak one...


"Roger Wolter[MSFT]" <rwolter@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:O212%23SrVGHA.5408@xxxxxxxxxxxxxxxxxxxxxxx
I think you will find that you can't change the password policy in Windows
XP and have it affect your SQL passwords. On other versions of Windows,
SQL Server 2005 implements a default password complexity policy so this is
probably what you are seeing. Books Online has a description of the
default password policy

--
This posting is provided "AS IS" with no warranties, and confers no
rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"Ron Lytal" <ron.lytal@xxxxxxxxxxxx> wrote in message
news:%23ndZ3qQVGHA.4792@xxxxxxxxxxxxxxxxxxxxxxx
I'm using SQL Server 2005 on both XP-SP2 and Server 2003 boxes. The docs
I have read state that the Password complexity / expiration features are
enabled only on Server 2003 and above. However, these features appear
functional on the SQL 2005 installs on the XP-SP2 boxes.. The docs say
the NetValidatePasswordPolicy() API is used, and that it is only
available in Windows Server 2003 and above! Anyone know why it is
functioning on the XP boxes? Bad docs?








.

Relevant Pages

  • Re: What is the criterion for strong password for SQL Express SA acc
    ... Password complexity policies are designed to deter brute force attacks by ... The password does not contain all or "part" of the user's account ... The password is at least six characters long. ... and then install the SQL Express in command line quietly by the ...
    (microsoft.public.sqlserver.setup)
  • Re: SQL Server 2005 password policy
    ... Password policy on XP is really, ... SQL Server Engine ... the "default" SQL 2005 password complexity policy on XP seems ... apparently the docs are describing a policy as enforced by the Server OS. ...
    (microsoft.public.sqlserver.security)
  • Re: Error only with SQL Server 2005
    ... If I interpret your question correctly, you are trying to use a SQL ... Did you enable SQL logins? ... >I'm seeing an error while testing our product with SQL Server 2005 CTP ... >I have changed the password complexity to exceed what's specified in SQL ...
    (microsoft.public.data.oledb)
  • Checking Password Complexity in SQL 2008
    ... I'm new to SQL 2008 but have been reading about a new feature where policies ... Is there a way within this feature to check pre-existing login passwords to ... determine if they meet the password complexity test of the O/S? ... This would be predominantly for SQL authenticated passwords but I ...
    (microsoft.public.sqlserver.security)
  • Checking Password Complexity in SQL 2008
    ... I'm new to SQL 2008 but have been reading about a new feature where policies ... Is there a way within this feature to check pre-existing login passwords to ... determine if they meet the password complexity test of the O/S? ... This would be predominantly for SQL authenticated passwords but I ...
    (microsoft.public.sqlserver.programming)