SQL Server 2005 password policy
-
Tuesday, October 06, 2009 12:57 PM
Good morning,
Is there any way to turn off the password complexity in SQL Server 2005? We need to install third party software that creates users with predefined passwords.
Thank you so much in advance.
Irynana
All Replies
-
Tuesday, October 06, 2009 1:11 PMModerator Not universally. You can disable password policy checks at an individual login level, but there isn't a master switch for the entire instance. If you are installing software that violates your corporate password policy, I would be asking some pretty serious questions of the software vendor, because they obviously don't care about any of the data that their software is dealing with. I haven't seen a password policy that was overly complex and it is virtually impossible to go create a password on any system without a minimum amount of complexity. So, it is simply unacceptable and quite irresponsible for a vendor to be producing software that can't pass a company's password policy. It was irresponsible 40 years ago, it is irresponsible today and it will be irresponsible at anytime in the future. Password policies exist for a reason. Additionally, if you are putting this on a SQL Server that has other databases, then you are also compromising the integrity of all of those databases. Hard coding passwords into a piece of software, well I won't even get started on that.
I would be curious to know what the software is. That way I can make sure that no company I ever work with ever buys it, due to their complete disregard for security.
Mike Hotek BlowFrog Software, Inc. http://www.BlowFrogSoftware.com Affordable database tools for SQL Server professionals- Proposed As Answer by Raul Garcia - MSModerator Wednesday, October 07, 2009 8:12 PM
- Marked As Answer by Alex Feng (SQL)Moderator Thursday, October 08, 2009 7:24 AM
-
Tuesday, October 06, 2009 1:51 PMModerator The simple answer is no. Your only real options are to make changes at the AD level (change your password policy etc) or get the software company to provide a version that creates logins with CHECK_POLICY = OFF.
Michael makes good points and unfortunately, it seems that for many software vendors these days, thinking about security is an "overhead" they can do without. My guess is that their software was built for SQL2000 where enforcing password policy wasn't an option and they've not rewritten it.
I'm sure they can make some simple changes to their install scripts to get it to work but its definitely worth challenging them on what their policy on security is.
every day is a school day- Proposed As Answer by Raul Garcia - MSModerator Wednesday, October 07, 2009 8:12 PM
- Marked As Answer by Alex Feng (SQL)Moderator Thursday, October 08, 2009 7:24 AM
-
Tuesday, October 06, 2009 2:15 PM
Understood. Thank you guys for the quick response -
Thursday, May 10, 2012 1:59 AM
You guys are pretty reactionary. "Complete disregard for security"... over a default, install password? It sounds like you are the one with a complete disregard for security. I'm gonna make sure I never hire you, because if you're not changing default passwords IMMEDIATELY after installation, it make ZERO difference if it's complex or not. If it's default then anyone can look it up on the internet.
