strong password enforcement

Question

strong password enforcement

dragana kubura

SSC Enthusiast

Points: 174
More actions
August 22, 2007 at 6:10 am

#92582

Hi,

I need to implement strong password enforcement for SQL 2000. Any ideas?
Thanks
Dk

Viewing 6 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic. Login to reply

Michael Meierruth SSChampion Points: 10051 More actions · Answer 1

You can always hack just this functionality into sp_password and sp_addlogin - but I wouldn't recommend it as any service pack install would wipe out these changes.

I did a password management thingie a while back which was based on a spec to become SOX compliant. You will need at least one table for keeping some info (e.g. old password) taken from master.dbo.sysxlogins.

You will need:

0. a front-end for adding/deleting logins which also manages that extra table

1. a process that manages expiration of passwords (sets password to a random value while keeping the old password in that extra table)

2. a web page for letting a user change her password (where you can validate its strength and compare it with the previous password, etc.); this web page will request a password which is taken from that extra table

3. a process which manages inactive users

and the list goes on...

So you can see, it's not trivial.

steve smith-401573 SSChampion Points: 10889 More actions · Answer 2

Grab a grain of salt. Ready? Upgrade to 2005.

Michael is right - you need to build your own enforcement mechanisms.

Alternatively, does it make sense to use Windows authentication, and delegate the problem away from SQL Server and place the responsibility on Windows? There are no easy answers, but there are good ones.

dragana kubura SSC Enthusiast Points: 174 More actions · Answer 3

Thanks very much guys.Looks like Steve is right >>There are no easy answers, but there are good ones<<. I tried upgrading to SQL2005 but ran into the issue with transactional replication to Sybase. Now I'm back to strong passwords, as this was the reason to go to SQL2005. Any good tips are appretiated. Thanks!!!

Rudyx - the Doctor SSC-Forever Points: 43695 More actions · Answer 4

it seems that noone mentioned this solution for SQL 2000 - go to integrted security, mind you it might be a grain of salt as well but possibly less than 2005.

RegardsRudy KomacsarSenior Database Administrator"Ave Caesar! - Morituri te salutamus."

dragana kubura SSC Enthusiast Points: 174 More actions · Answer 5

we are testing one of the application to use windows authentication, but we operate in the multi domain environment and that's sometimes a restriction.

Thanks for all comments, all help is appretiated.

D.