Learn more about SQL Server tools

mssqltips logo

Tutorials          DBA          Dev          BI          Career          Categories          Webcasts          Scripts          Today's Tip          Join

Tutorials      DBA      Dev      BI      Categories      Webcasts

DBA    Dev    BI    Categories


Password management options for the SQL Server sa login

By:   |   Last Updated: 2007-01-10   |   Comments   |   Related Tips: More > Auditing and Compliance

In earlier tips from the sa series we outlined 'When not to use the sa password' and 'When was the last time the sa password changed?'.  In this installment of the sa series we will be outlining options for password management.  In a nutshell, depending on the security needs of the organization dictates how the sa password should be managed.  Although at a certain level, the sa login needs to be protected even in environments without specific legal or regulatory requirements.  As the security needs increase, then it is necessary to implement additional measures to manage and protect the most privileged (out of the box) login in SQL Server, the sa login.

As a DBA\Developer it is necessary to handle any privileged account's password with great care.  As such, here are some techniques to do so:

  • Do not use the sa login unless necessary and when you think it is necessary research other options to validate no other options exist
  • Do not let any applications get promoted to the production environment if they use the sa login
  • Use an electronic or physical password safe to manage the passwords to ensure they are stored in a secure location as opposed to a sticky note or some other easily accessible location
  • Create a password with 20+ characters (mixed case), numbers, symbols
  • Have a limited number of DBAs\Developers know the password or have access to the password to limit the potential exposure
  • Audit the login usage to the SQL Server error log or capture the usage with Profiler or a third party tool

SQL Server 2005 - Login Audits

  • Change the password on a regular basis whether that is monthly, quarterly, semi-annually
  • Ensure that changing the password is not a chore
  • Change the password when a DBA\Developer who knows the sa password leaves the organization
  • If you are in a secure environment, split the password between 2 DBAs so 1 DBA knows the first half of the password and another DBA knows the second half of the password
  • If you are using SQL Server 2005, leverage the new password options of 'Enforce password policy' and 'Enforce password expiration'

SQL Server 2005 Password Management Options


Next Steps

Last Updated: 2007-01-10

get scripts

next tip button

About the author
MSSQLTips author Jeremy Kadlec Since 2002, Jeremy Kadlec has delivered value to the global SQL Server community as an MSSQLTips.com co-founder and Edgewood Solutions SQL Server Consultant.

View all my tips
Related Resources

Post a comment or let the author know this tip helped.

All comments are reviewed, so stay on subject or we may delete your comment. Note: your email address is not published. Required fields are marked with an asterisk (*).

*Name    *Email    Email me updates 

Signup for our newsletter
 I agree by submitting my data to receive communications, account updates and/or special offers about SQL Server from MSSQLTips and/or its Sponsors. I have read the privacy statement and understand I may unsubscribe at any time.


Learn more about SQL Server tools