Where does SQL Server store the SA password and SQL Server password policy?
https://dba.stackexchange.com/questions/192892
-
10-10-2020 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
On Linux, where does SQL Server store the "SQL Server password policy" and the SA user's password? I get it, "password" isn't secure.
ERROR: Unable to set system administrator password: Password validation failed. The password does not meet SQL Server password policy requirements because it is too short. The password must be at least 8 characters..
and then,
ERROR: Unable to set system administrator password: Password validation failed. The password does not meet SQL Server password policy requirements because it is not complex enough. The password must be at least 8 characters long and contain characters from three of the following four sets: Uppercase letters, Lowercase letters, Base 10 digits, and Symbols..
I'm guessing the policy is actually compiled into the database? And the password gets stored in an obscure location?
Solution 2
I believe if there is no Windows Password Policy, as in the case of Linux, there is some hard-compiled default in the SQL Server Daemon. The docs seem to imply that too, under Security limitations for SQL Server on Linux
A standard password policy is provided.
MUST_CHANGEis the only option you may configure.
That said, you can get around this and take the training wheels off pretty easily,
ALTER LOGIN [sa] WITH PASSWORD=N'password', CHECK_POLICY = off;
As far as the file this writes too, I'm thinking it's likely data/mastlog.ldf which is in the data dir /var/opt/mssql
OTHER TIPS
The sa user is a SQL Server login and its password is encrypted and stored in the DMV sys.sql_logins (Database Management View) in the master database.
Reference: sys.sql_logins (Transact-SQL)
You might notice that these views can only be found in the following branch:
Server | Databases | master | Views | System Views | ....
The DMVs reference some system base tables, which can be accessed (but shouldn't):
Reference: System Base Tables
The policy you are looking for is built in to the code of SQL Server and is set per default for each new account. When creating a SQL Server Login you can decide to turn off the defaults:
To enforce password policy options for complexity and enforcement, select Enforce password policy. For more information, see Password Policy. This is a default option when SQL Server authentication is selected.
... via CHECK_POLICY=OFF. See the full syntax:
CREATE LOGIN login_name { WITH <option_list1> | FROM <sources> }
<option_list1> ::=
PASSWORD = { 'password' | hashed_password HASHED } [ MUST_CHANGE ]
[ , <option_list2> [ ,... ] ]
<option_list2> ::=
SID = sid
| DEFAULT_DATABASE = database
| DEFAULT_LANGUAGE = language
| CHECK_EXPIRATION = { ON | OFF}
| CHECK_POLICY = { ON | OFF}
| CREDENTIAL = credential_name
<sources> ::=
WINDOWS [ WITH <windows_options>[ ,... ] ]
| CERTIFICATE certname
| ASYMMETRIC KEY asym_key_name
<windows_options> ::=
DEFAULT_DATABASE = database
| DEFAULT_LANGUAGE = language
Reference: CREATE LOGIN (Transact-SQL)
If the SQL Server is a member of a Windows Domain, then it will retrieve the password policy from Active Directory. Otherwise the defaults are:
Password complexity policies are designed to deter brute force attacks by increasing the number of possible passwords. When password complexity policy is enforced, new passwords must meet the following guidelines:
- The password does not contain the account name of the user.
- The password is at least eight characters long.
- The password contains characters from three of the following four categories:
- Latin uppercase letters (A through Z)
- Latin lowercase letters (a through z)
- Base 10 digits (0 through 9)
- Non-alphanumeric characters such as: exclamation point (!), dollar sign ($), number sign (#), or percent (%).
Passwords can be up to 128 characters long. You should use passwords that are as long and complex as possible.
Reference: Password Policy
