question

Dushyant2426 avatar image
Dushyant2426 asked

Security issue when i create users or reset password for existing users

1st, When I create user or reset password for existing users with SQL Authentication and I’m using encrypted password which is 5 words. and I’m getting error that password validation failed. The password does not meet windows policy requirements because it is too short(Error 15116). Our windows policy is 8 character. 2nd, Our servers is upgraded from sql server 2000 to sql server 2008. Any good suggestion for my issue
sql-server-2008
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Grant Fritchey avatar image
Grant Fritchey answered
Without seeing the T-SQL statements, I'm just guessing. You say it's 5 words, but do any of the characters have a single quote? It's possible that you're passing a string without correcting for that.
5 comments
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

ThomasRushton avatar image ThomasRushton ♦♦ commented ·
So, five letters rather than 5 words. Definitely too short!
2 Likes 2 ·
Grant Fritchey avatar image Grant Fritchey ♦♦ commented ·
The policy says 8 and you have 5. It's pretty straightforward where the issue might be.
2 Likes 2 ·
Dushyant2426 avatar image Dushyant2426 commented ·
Thanks for replying, Our ancrypted password is K6WTP. and end user use 12345.
0 Likes 0 ·
Dushyant2426 avatar image Dushyant2426 commented ·
sorry I forgot that it's five letters. Do you know how I can solve my problem? Also our server is upgraded from SQL server 2000 to SQL server 2008.
0 Likes 0 ·
Grant Fritchey avatar image Grant Fritchey ♦♦ commented ·
If you don't want to enforce the standards, how about turning the standards off? http://www.itechtalk.com/thread4158.html If you want to enforce the policy, then you have to enforce the policy. You can't really do both, enforce and not enforce, at the same time.
0 Likes 0 ·
ThomasRushton avatar image
ThomasRushton answered
If you want / need to bypass the password policy, when you write your [`CREATE LOGIN`][1] statement, add `WITH CHECK_POLICY OFF`. Better advice is to change your SQL Authenticated passwords to something stronger, or (best) to use Windows Authentication rather than SQL Server authentication. [1]: http://msdn.microsoft.com/en-us/library/ms189751.aspx
2 comments
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

ThomasRushton avatar image ThomasRushton ♦♦ commented ·
I would go with setting a stronger password in the first place. Doesn't have to be too complicated - Pa5$word would probably do the job!
1 Like 1 ·
Dushyant2426 avatar image Dushyant2426 commented ·
Thanks Thomas, As our company policy. If i create user ABC with sql authentication, password i used encrypated K6WTP. I'll let end user that your user id is ABC and password is 12345 then he will change to his own. But if I'll create user with uncheck password policy it will not able to chage to his own password.
0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.