Enforce Strong (SQL 2005) Password
2 posts in topic
Flat View  Flat View
TOPIC ACTIONS:
 

Posted By:   Patrick_Ward
Posted On:   Sunday, February 18, 2007 01:20 AM

Where could I find some example java code that could be used to enforce a SQL 2005 Strong Password. Regex seems the way to go, and figuered someone else has already implemented this somewhere.

Re: Enforce Strong (SQL 2005) Password

Posted By:   Patrick_Ward  
Posted On:   Monday, February 19, 2007 09:20 PM

Agreed. I broke up the RegEx expressions and here is what I came up with for my specific need as demonstrated by running on command line input and output



Thank you for your earlier response...





import java.io.*;

import java.lang.*;

import java.util.regex.*;





public class SimpleCM {

public static void main(String[] args){

String userPassword = args[0];

boolean passwordStatus = IsStrongPassword(userPassword);

System.out.print("Is password is considered strong for SQL 2005? ");

System.out.println(passwordStatus);

}



private static boolean IsStrongPassword(String password)

{

boolean hasUpperCase = false;

boolean hasLowerCase = false;

boolean hasNumber = false;

boolean hasNonAlpha = false;

boolean meetsLength = false;

boolean containsBadCharacters = true;

int passwordStrength = 0;



if (hasUpperCase = ContainsUpperCase(password))

{

passwordStrength++;

}

if (hasLowerCase = ContainsLowerCase(password))

{

passwordStrength++;

}

if (hasNumber = ContainsNumber(password))

{

passwordStrength++;

}

if (hasNonAlpha = ContainsNonAlpha(password))

{

passwordStrength++;

}

if (meetsLength = MeetsLength(password))

{

passwordStrength++;

}

if (containsBadCharacters = HasBadChars(password))

{

passwordStrength=0; // Knock down to 0 so that password cannot be accepted

}

if (passwordStrength >= 3)

{

return true;

}

else

{

return false;

}



}

private static boolean ContainsUpperCase(String inputValue)

{

Pattern p = Pattern.compile("[A-Z]");

System.out.println("Checking for Upper Case");

System.out.println(p.matcher(inputValue).find());

return p.matcher(inputValue).find();



}



private static boolean ContainsLowerCase(String inputValue)

{

Pattern p = Pattern.compile("[a-z]");

System.out.println("Checking for Lower Case");

System.out.println(p.matcher(inputValue).find());

return p.matcher(inputValue).find();

}



private static boolean ContainsNumber(String inputValue)



{

Pattern p = Pattern.compile("[0-9]");

System.out.println("Checking for Numbers");

System.out.println(p.matcher(inputValue).find());

return p.matcher(inputValue).find();

}



private static boolean ContainsNonAlpha(String inputValue)

{

Pattern p = Pattern.compile("[!@#$%*()-+?]");

System.out.println("Checking for Non Alpha Characters");

System.out.println(p.matcher(inputValue).find());

return p.matcher(inputValue).find();

}



private static boolean MeetsLength(String inputValue)

{

Pattern p = Pattern.compile("{6,32}");

System.out.println("Checking for password min and max length");

System.out.println(p.matcher(inputValue).find());

return p.matcher(inputValue).find();

}


private static boolean HasBadChars(String inputValue)

{

Pattern p = Pattern.compile("[<>&]");

System.out.println("Checking for Bad Characters");

System.out.println(p.matcher(inputValue).find());

return p.matcher(inputValue).find();

}



} // End of SimpleCM

Re: Enforce Strong (SQL 2005) Password

Posted By:   WarnerJan_Veldhuis  
Posted On:   Sunday, February 18, 2007 05:47 AM

On the MSDN site I found the following: (http://msdn2.microsoft.com/en-us/library/ms161959.aspx)





Password complexity policies are designed to deter brute force attacks by increasing the number of possible passwords. When password complexity policy is enforced, new passwords must meet the following guidelines:



* The password does not contain all or part of the account name of the user. Part of an account name is defined as three or more consecutive alphanumeric characters delimited on both ends by white space such as space, tab, and return, or any of the following characters: comma (,), period (.), hyphen (-), underscore (_), or number sign (#).

* The password is at least eight characters long.

* The password contains characters from three of the following four categories:

o Latin uppercase letters (A through Z)

o Latin lowercase letters (a through z)

o Base 10 digits (0 through 9)

o Non-alphanumeric characters such as: exclamation point (!), dollar sign ($), number sign (#), or percent (%).


Passwords can be up to 128 characters long. You should use passwords that are as long and complex as possible.


When SQL Server is running on Windows 2000, setting CHECK_POLICY = ON will prevent the creation of passwords that are:



* Null or empty

* Same as name of computer or login

* Any of the following: "password", "admin", "administrator", "sa", "sysadmin"



Now, that's going to be a hell of a regex :). If I come up with any ideas, I'll let you know...
About | Sitemap | Contact