SQL server password policy

SQL Server password policy follows the LOCAL Server password policy. So depending on the policy it's set for the local server you'll have the same policy for SQL Server.
You can check the current policies in the Local Security Policy:

is it only for SQL account but not Windows domain account ?

Correct. Domain accounts follow the domain security policy.

OK, so SQL server policy only follow local server policy ?

any URL to proof that ? I trust you but this is good for presentation.

you know I googled this one :

http://blogs.msdn.com/b/sqlsecurity/archive/2009/03/25/enforce-password-policy-on-sql-server-logins.aspx

but that one is just too simple !

we undergoing ISO20000 and ISO270001, we need to document this down.

tks,

I don't know what those ISO are saying but for security reasons we usually disable the SQL Server Logins and work only with Windows Authentication so all the login security would be managed in AD instead of SQL Server.

I think this is also because for Windows authentication, login information pass through the network is encrypted, but not SQL-only login, right?

Auditor just ask password policy question ! this is just the basic of security.

I think this is also because for Windows authentication, login information pass through the network is encrypted, but not SQL-only login, right?

It's encrypted but the credentials will be always travelling in the network so there's a risk to be captured. Windows authentication uses Kerberos protocol so theoretically more secure.

Auditor just ask password policy question ! this is just the basic of security.

Why use a password policy for SQL Login and another policy for AD user? Why a person needs to remember two passwords? Why DBA's need to manage user credentials?

"It's encrypted but the credentials will be always travelling in the network so there's a risk to be captured. "

but they have to decrypt it before reading, right?

"Why use a password policy for SQL Login and another policy for AD user? Why a person needs to remember two passwords? Why DBA's need to manage user credentials?"

I don't understand what is that mean !

but they have to decrypt it before reading, right?

Sure.

I don't understand what is that mean !

Means that everyone already has a credential to connect to the network (AD user) so why create for them a SQL Server login when they can use their AD login?

"Sure."

then it will be the same as usual network connection and I have no concern on this.

"Means that everyone already has a credential to connect to the network (AD user) so why create for them a SQL Server login when they can use their AD login?"

yeah, I get it now, probably for monitoring tools access.

So SQL only login is not encrypted ?

So SQL only login is not encrypted ?

Yes, it is. But the protocol is different. Microsoft recommends Windows Authentication whenever is possible since it uses Kerberos and SQL Server login doesn't. They say it's more secure and I'm trying to believe on them (even today's April's fools day) :)

" I'm trying to believe on them (even today's April's fools day) :)"
I like, wait SQL only also encrypted ? how many bits encryption do you know ?

April fools is not a magazine, right ?    :) :)

how many bits encryption do you know ?

Sorry but I don't know. To be honest I never investigated that.

ok, I just know SQL only login no not encrypted.

just like local Windows account, not encrytped at all.

Where did you get the information about that?

long time ago, I forget it.

just like web account, local server account when compare with NT login account.