Sql Server Password Policy

Published Date: 02 Nov 2017

Authentication

Database authentication is the process of creating a user and defining his identity to a database server. The users have to provide their login credentials and validate that they have rights to access the server. In the authentication stage, the factors that are determined include specific rights to read or update tables, execute procedures and queries and carry out the structural changes to the database. There are different ways to connect to database which depends on applications, user requests and security requirements.

Password Creation

The most commonly used methods for building passwords are the text based passwords. There are other methods for authentication such as the public key cryptography, graphical passwords, encrypted images, finger prints, retinal scans and many others. The text based passwords are more prone to security breaches because maximum users tend to select the easiest available words hence making it weak and less secure. This emphasises the need of regulations to password creation (Komanduri, et. al., 2011).

Password Policy

The password policy forms the basic requirement for password authentication. Shay et. al. (2010) define password policy as a set of rules defined by the administrators and the companies to fight the weaknesses of both innate and user created text based passwords, to which the users have to compulsorily follow while choosing a password. These policies do not always lead to secure passwords as they are limited by user behaviour. According to Komanduri, et. al. (2011) the user’s approach to receive the rigid policies often leads to impatience and thus results in weak passwords prompted by users.

The research compares the different policies defined by Oracle, IBM and Microsoft which is discussed below.

Oracle Password Policy

Password length is restricted to 30 characters

Password is preferred between 12 and 30 characters and numbers.

Password must contain at least one digit, one upper case character, and one lower-case character.

Password with combination of letters in both cases, numbers and special characters is recommended

Usage of database character set, which includes the underscore (_), dollar ($), and number sign (#) characters.

Password expiration is generally set to 120 days

Account will automatically lockout after the user has 10 login failures

Password expiry warning given to user seven days before expiry

Five grace logins after password expires

Oracle (2012), as a part of security, provides

"...Routine for password complexity verification through the PL/SQL script UTLPWDMG.SQL that can be executed to check whether the passwords are sufficiently complex".

A set of predefined, default user accounts are provided when Oracle Database is installed. Security is very easy to be broken through default database user account though it has as password provided after installation. An instance being the user accounts SCOTT, which is a vulnerable to intruders. Default accounts are installed locked when the passwords expire in Oracle Database 11g Release 2 (11.2).

IBM DB2 Password Policy

Passwords are case sensitive

Minimum length of password is 8 characters

Alpha-numeric characters are supported

Password expiration period must be set to 300 days

Password with combination of letters in both cases, numbers and special characters is recommended

At least two numeric and two special characters must be used

Assigning previous passwords are not allowed

Minimum two characters from previous password must exist in the new password

Account will automatically lockout after the user has 10 login failures

IBM Tivoli directory server uses three password policies (IBM, n. d.)

Group Password policy – is group specific policy. It has one single password policy for the group. Multiple group policies also occur because a single user may belong to multiple groups

Individual Password policy – is user specific policy. It allows each user to have his own specifications in the password attributes

Global Password policy – is created by the server and the attribute ibm-pwdPolicy is set to FALSE. The other policies will be ignored by the server. If the policy has to be applied on the server, the attribute has to be set to TRUE.

SQL Server Password Policy

Minimum length of password is 8 characters

Password with combination of letters in both cases, numbers and special characters is recommended

Password should not contain all or part of the user id. The user id part is defined as three or more consecutive characters which are alphanumeric. They are delimited on both ends using characters such as space, tab, and return, or special characters like comma (,), period (.), hyphen (-), underscore (_), or number sign (#).

It is recommended that the passwords are long and complex

Passwords are periodically expired. Password expiry warning given to user seven days before expiry

Login ids with expired passwords are disabled

SQL Server suggests the characteristics of a strong password as listed below (MSDN, n. d.)

It should be minimum 8 characters long

It should not be available in the dictionary

It should be changed regularly

It should be a combination of numbers, alphabets and special characters

It should not be the user id or any person’s name

It should not be a command or a computer name

It should be different from old or previous passwords

Biometric Authentication

Biometric authentication methods use the user’s actual physiological or behavioural features for authentication. The advantage with biometric techniques is they cannot be lost or forgotten. This helps users as well as system administrators to manage and avoid the process of reissuing or temporarily issuing passwords. Matyas and Riha (2010) conclude in their research that the biometric authentication is an excellent supplementary authentication technique. Even simple biometric solutions enhance the overall system security when used with traditional authentication methods.

Unlike the text-based passwords which require a perfect match of two password strings, a biometric-based authentication system functions based on the match of two biometric samples (Jain and Nandakumar, 2012). Biometric systems identify users based on their anatomical features like fingerprint, facial recognition, retina and voice. These features are physically linked to the user and it makes biometric recognition mechanism more reliable in ensuring that only authorized users are able to access the system.

Sul (2011) proposes a fingerprint classification algorithm which states that the fingerprint samples are stored in a distributed method. The biometric system initially records the fingerprints of the user using an appropriate sensor and stores them. This is called enrolment. The pre-processed images are separated into many blocks and the extracted features of the blocks are used to categorize the image as arch, whirl, loops etc. These features are later stored as a template and will be used for authenticating the user identity along with text based passwords.

Face recognition is carried out as local binary pattern (LBP). Texture analysis and motion analysis are important when the image is retrieved for authentication (Darwish, 2010). While authenticating a user’s face, the system would come up with two types of errors, False-negative – which means that the system has rejected the actual user and False-positive – which means that the system has accepted a fraud. The attempts on minimising these false-positive errors are still in process.