Technical Article

Enhanced sp_password

,

This is a sp_password enhanced by Dmitri Bobkov (see http://qa.sqlservercentral.com/scripts/contributions/718.asp) and re-enhanced with a small changes from SQL2kSP3.
For SQL Server in Mixed Authentication mode this stored procedure helps to validate users password. Currently this procedure checks for the next requrements: password must have length at least 8 characters plus among them at least one digit and at least one of the characters must be in upper case.

/***************************************************************************
	Script to validate user input for password change

	Based on original Microsoft SQl Server stored procedure sp_password
	with modifications.

	For SQL Server in Mixed Authentication mode this stored procedure 
	will help to control modifications of users passwords. 

	Currently procedure checks for next requrements: 
	password must have length at least 8 characters plus among them 
	at least one digit and at least one of the characters must be in upper case.

	D.Bobkov
	March 11, 2003
	
	F.Yaghob
	March 27, 2003

****************************************************************************/

use master
go

sp_configure 'allow update', 1
go

RECONFIGURE WITH OVERRIDE
go

alter procedure sp_password
    @old sysname = NULL,        -- the old (current) password
    @new sysname,               -- the new password
    @loginame sysname = NULL    -- user to change password on
as
    -- SETUP RUNTIME OPTIONS / DECLARE VARIABLES --
	set nocount on
	declare @self int
    	select @self = CASE WHEN @loginame is null THEN 1 ELSE 0 END

    -- RESOLVE LOGIN NAME
    if @loginame is null
        select @loginame = suser_sname()

    -- CHECK PERMISSIONS (SecurityAdmin per Richard Waymire) --
	IF (not is_srvrolemember('securityadmin') = 1)
        AND not @self = 1
	begin
	   dbcc auditevent (107, @self, 0, @loginame, NULL, NULL, NULL)
	   raiserror(15210,-1,-1)
	   return (1)
	end
	ELSE
	begin
	   dbcc auditevent (107, @self, 1, @loginame, NULL, NULL, NULL)
	end

    -- DISALLOW USER TRANSACTION --
	set implicit_transactions off
	IF (@@trancount > 0)
	begin
		raiserror(15002,-1,-1,'sp_password')
		return (1)
	end

    -- RESOLVE LOGIN NAME (disallows nt names)
    if not exists (select * from master.dbo.syslogins where
                    loginname = @loginame and isntname = 0)
	begin
		raiserror(15007,-1,-1,@loginame)
		return (1)
	end

	-- IF non-SYSADMIN ATTEMPTING CHANGE TO SYSADMIN, REQUIRE PASSWORD (218078) --
	if (@self <> 1 AND is_srvrolemember('sysadmin') = 0 AND exists
			(SELECT * FROM master.dbo.syslogins WHERE loginname = @loginame and isntname = 0
				AND sysadmin = 1) )
		SELECT @self = 1

    -- CHECK OLD PASSWORD IF NEEDED --
    if (@self = 1 or @old is not null)
        if not exists (select * from master.dbo.sysxlogins
                        where srvid IS NULL and
						      name = @loginame and
			                  ( (@old is null and password is null) or
                              (pwdcompare(@old, password, (CASE WHEN xstatus&2048 = 2048 THEN 1 ELSE 0 END)) = 1) )   )
        begin
		    raiserror(15211,-1,-1)
		    return (1)
	    end
	-- =========================================================================================
    -- D.Bobkov - change for VALIDATE USER INPUT ===============================================
    -- as example using: minimum length - 8 char, minimum 1 number and minimum 1 capital letter in it...
    -- Perform comparision of @new
	declare @NumPos int
	declare @CapsPos int
	declare @position int
	declare @CharValue int

	SET @position = 1
	SET @NumPos = 0
	SET @CapsPos = 0

	WHILE @position <= DATALENGTH(@new)
	   BEGIN
		SET @CharValue = ASCII(SUBSTRING(@new, @position, 1))
		IF ( @CharValue > 47 AND @CharValue < 58)
			SET @NumPos = @NumPos + 1
		ELSE IF ( @CharValue > 64 AND @CharValue < 91)
			SET @CapsPos = @CapsPos + 1
	   	SET @position = @position + 1
	   END
	IF DATALENGTH(CAST(@new AS varchar(20))) < 8 
	begin
		raiserror('Password length is less than 8 chars', 16, 1)
		return (1)
	end

	IF @NumPos < 1
	begin
		raiserror('Password must have at least one digit', 16, 1) 
		return (1)
	end
	
	IF @CapsPos < 1 
	begin
		raiserror('Password must have at least one character in upper case', 16, 1)
		return (1)
	end
    -- END OF D.Bobkov change ===================================================================
	-- ==========================================================================================
    -- CHANGE THE PASSWORD --
    update master.dbo.sysxlogins
	set password = convert(varbinary(256), pwdencrypt(@new)), xdate2 = getdate(), xstatus = xstatus & (~2048)
	where name = @loginame and srvid IS NULL

	-- UPDATE PROTECTION TIMESTAMP FOR MASTER DB, TO INDICATE SYSLOGINS CHANGE --
	exec('use master grant all to null')

    -- FINALIZATION: RETURN SUCCESS/FAILURE --
	if @@error <> 0
        return (1)
    raiserror(15478,-1,-1)
	return  (0)	-- sp_password

GO

update sysobjects set
    base_schema_ver = 0,
    status = status | 0xC0000001
    where name = 'sp_password'
go

sp_configure "allow update", 0
go

RECONFIGURE WITH OVERRIDE
go

GRANT EXECUTE ON [dbo].[sp_password] TO [public]
go

Rate

You rated this post out of 5. Change rating

Share

Tags

Join the discussion and add your comment

Share

Rate

You rated this post out of 5. Change rating

Related content

Technical Article

Shows Tables for a Given Database from DOS

If you are using OSQL or ISQL from DOS querys are really hard to use, because the result is to big for the screen. With this procedure, you can especify from wich column to wich column show the list of tables. For Example: proc_tables master, 3, 10 will show you only a short list of […]

You rated this post out of 5. Change rating

2001-10-28

728 reads