Sunday, February 18, 2007 05:47 AM
On the MSDN site I found the following: (http://msdn2.microsoft.com/en-us/library/ms161959.aspx
Password complexity policies are designed to deter brute force attacks by increasing the number of possible passwords. When password complexity policy is enforced, new passwords must meet the following guidelines:
* The password does not contain all or part of the account name of the user. Part of an account name is defined as three or more consecutive alphanumeric characters delimited on both ends by white space such as space, tab, and return, or any of the following characters: comma (,), period (.), hyphen (-), underscore (_), or number sign (#).
* The password is at least eight characters long.
* The password contains characters from three of the following four categories:
o Latin uppercase letters (A through Z)
o Latin lowercase letters (a through z)
o Base 10 digits (0 through 9)
o Non-alphanumeric characters such as: exclamation point (!), dollar sign ($), number sign (#), or percent (%).
Passwords can be up to 128 characters long. You should use passwords that are as long and complex as possible.
When SQL Server is running on Windows 2000, setting CHECK_POLICY = ON will prevent the creation of passwords that are:
* Null or empty
* Same as name of computer or login
* Any of the following: "password", "admin", "administrator", "sa", "sysadmin"
Now, that's going to be a hell of a regex :). If I come up with any ideas, I'll let you know...