Share via

'CHECK_POLICY' Option is set to 'ON' for SQL Server logins

Kazi Ariful Haq 161 Reputation points
2020-11-14T04:09:13.553+00:00

Hi,

We are using SQL Server 2017 in production. Many of the application is running on these databases. Recently our security team asked to ensure 'CHECK_POLICY' Option is set to 'ON' for all SQL authenticated Logins.

If we set this for any existing login and if the password was simple then will the login work afterwards when we set 'CHECK_POLICY' Option is set to 'ON' or we have to create new password for the logins to meet password complexity?

SQL Server Other

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Erland Sommarskog 121.4K Reputation points MVP Volunteer Moderator
    2020-11-14T10:06:54.533+00:00

    Why don't you test it? Create login with CHECK_POLICY=OFF and with a password of a single letter. Alter the login to set CHECK_POLICY=ON. Test if you can still log in.

    I did not test this myself, I would be very surprised if you cannot, since there is not really a way to check the complexity of an existing password. Remember that they are stored as salted hashes, so it is very difficult to retrieve the password by a direct lookup. (But a brute-force attack will find it quickly enough for an attacker.)

    1 person found this answer helpful.
    0 comments
  2. AmeliaGu-MSFT 14,006 Reputation points Microsoft External Staff
    2020-11-16T06:12:45.767+00:00

    Hi @Kazi Ariful Haq ,

    Based on my test, after modifying check_policy from off to on, you can still log in to SQL Server.

    Best Regards,
    Amelia

    If the answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
    Users always get connection timeout problem when using multi subnet AG via listener. Especially after failover to another subnet
    What can I do if my transaction log is full?--- Hot issues November
    How to convert Profiler trace into a SQL Server table -- Hot issues November

    0 comments
  3. Dirk Hondong 871 Reputation points
    2020-11-20T12:20:53.36+00:00

    Hi there,

    I think Microsoft Learn are quite clear
    https://learn.microsoft.com/en-us/sql/relational-databases/security/password-policy?view=sql-server-ver15

    "Password Complexity
    Password complexity policies are designed to deter brute force attacks by increasing the number of possible passwords. When password complexity policy is enforced, new passwords must meet the following guidelines:"

    So, for existing SQL logins it does not matter.
    Only if you set a new password.

    Regarding the policy enforcment:
    Policy Enforcement
    The enforcement of password policy can be configured separately for each SQL Server login. Use ALTER LOGIN (Transact-SQL) to configure the password policy options of a SQL Server login. The following rules apply to the configuration of password policy enforcement:

    When CHECK_POLICY is changed to ON, the following behaviors occur:

    CHECK_EXPIRATION is also set to ON unless it is explicitly set to OFF.

    The password history is initialized with the value of the current password hash.

    So, once you activate the policy and renew a password you cannot use the recent one immediatly.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.