Script to validate user input for password change
For SQL Server in Mixed Authentication mode this
stored procedure helps to validate users password. Currently this procedure checks for the next requrements: password must have length at least 8 characters plus among them at least one digit and at least one of the characters must be in upper case.
/***************************************************************************
Script to validate user input for password change
Based on original Microsoft SQl Server stored procedure sp_password
with modifications.
For SQL Server in Mixed Authentication mode this stored procedure
will help to control modifications of users passwords.
Currently procedure checks for next requrements:
password must have length at least 8 characters plus among them
at least one digit and at least one of the characters must be in upper case.
D.Bobkov
March 11, 2003
****************************************************************************/
use master
if exists (select * from dbo.sysobjects where id = object_id(N'[dbo].[sp_password]')
and OBJECTPROPERTY(id, N'IsProcedure') = 1)
drop procedure [dbo].[sp_password]
GO
create procedure sp_password
@old sysname = NULL, -- the old (current) password
@new sysname, -- the new password
@loginame sysname = NULL -- user to change password on
as
-- SETUP RUNTIME OPTIONS / DECLARE VARIABLES --
set nocount on
declare @self int
select @self = CASE WHEN @loginame is null THEN 1 ELSE 0 END
-- CHECK PERMISSIONS --
IF (not is_srvrolemember('sysadmin') = 1)
AND not @self = 1
begin
raiserror(15210,-1,-1)
return (1)
end
-- DISALLOW USER TRANSACTION --
set implicit_transactions off
IF (@@trancount > 0)
begin
raiserror(15002,-1,-1,'sp_password')
return (1)
end
-- RESOLVE LOGIN NAME (disallows nt names)
if @loginame is null
select @loginame = suser_sname()
if not exists (select * from master.dbo.syslogins where
loginname = @loginame and isntname = 0)
begin
raiserror(15007,-1,-1,@loginame)
return (1)
end
-- CHECK OLD PASSWORD IF NEEDED --
if (@self = 1 or @old is not null)
if not exists (select * from master.dbo.sysxlogins
where srvid IS NULL and
name = @loginame and
( (@old is null and password is null) or
(pwdcompare(@old, password, (CASE WHEN xstatus&2048 = 2048 THEN 1 ELSE 0 END)) = 1) ) )
begin
raiserror(15211,-1,-1)
return (1)
end
--=========================================================================================
-- D.Bobkov - change for VALIDATE USER INPUT ===============================================
-- as example using: minimum length - 8 char, minimum 1 number and minimum 1 capital letter in it...
-- Perform comparision of @new
declare @NumPos int
declare @CapsPos int
declare @position int
declare @CharValue int
SET @position = 1
SET @NumPos = 0
SET @CapsPos = 0
WHILE @position <= DATALENGTH(@new)
BEGIN
SET @CharValue = ASCII(SUBSTRING(@new, @position, 1))
IF ( @CharValue > 47 AND @CharValue < 58)
SET @NumPos = @NumPos + 1
ELSE IF ( @CharValue > 64 AND @CharValue < 91)
SET @CapsPos = @CapsPos + 1
SET @position = @position + 1
END
IF DATALENGTH(CAST(@new AS varchar(20))) < 8
begin
raiserror('Password length is less than 8 chars', 16, 1)
return (1)
end
IF @NumPos < 1
begin
raiserror('Password must have at least one digit', 16, 1)
return (1)
end
IF @CapsPos < 1
begin
raiserror('Password must have at least one cahracter in upper case', 16, 1)
return (1)
end
-- END OF D.Bobkov change ===================================================================
--=========================================================================================
-- CHANGE THE PASSWORD --
update master.dbo.sysxlogins
set password = convert(varbinary(256), pwdencrypt(@new)), xdate2 = getdate(), xstatus = xstatus & (~2048)
where name = @loginame and srvid IS NULL
-- FINALIZATION: RETURN SUCCESS/FAILURE --
if @@error <> 0
return (1)
raiserror(15478,-1,-1)
return (0)-- sp_password
GO 
