SQL Server Password Policy

 

When creating a SQL Login, you can select the Enforce Password Policy option as described in my article “How To Create a Login On SQL Server(Manage Logins)“. When you select this option, sql login uses the password policy defined on windows or domain. This article describes the password policy and how to set it.

We are writing gpedit.msc to Search.

 

And we are coming to the following screen for Password Policy.

 

Here we set the parameters that appear on the right side in the Policy section.

In some domains, these settings are disabled and cannot be changed locally.

If this is the case, you must forward this setting to your related technical team in your company.

If you can change locally, you must set these policies by following the security policy requirements of your company.

You can find these policies and their explanation below.

Enforce password history It asks how many of the user’s previous passwords will be remembered by the system. You must set a value between 0-24. If not set, users can enter the same password as their previous password. You can set this value to 3.
Maximum password age Here you need to set how long passwords will be available. After this period, users will have to change their passwords.

The value here is related to the information security policies in your company.

If you don’t have any policy you can set it as 180 days.

Minimum password age You must set the minimum time that passwords should be used without changing by the user. You can use it to prevent users from changing their passwords every hour.
Minimum password lenght You can specify how many characters the password will contain at least. It should be 8
Password must meet complexity requirements If you enable this option, the passwords must meet the following requirements. And I think it needs to be activated by security.

The full user name cannot be in the password.

More than 2 consecutive characters in the User name cannot be in the password.

The password consists of at least 6 characters.

It must contain uppercase letters, lowercase letters, symbols and digits.

Store passwords using reversible encryption

For authentication, some applications require the user’s password. For example, Challenge Handshake Authentication Protocol (CHAP) or Internet Authentication Services (IAS).

If you are using such applications, you must activate this option. But it will weaken security as it decrypts encrypted passwords. It would be better to remain disable and find another solution.