Strong Passwords

Applies to: SQL Server (all supported versions) Azure SQL Database Azure SQL Managed Instance Azure Synapse Analytics Analytics Platform System (PDW)

Passwords can be the weakest link in a server security deployment. Take great care when you select a password. A strong password has the following characteristics:

  • Is at least eight characters long.

  • Combines letters, numbers, and symbol characters within the password.

  • Is not found in a dictionary.

  • Is not the name of a command.

  • Is not the name of a person.

  • Is not the name of a user.

  • Is not the name of a computer.

  • Is changed regularly.

  • Is different from previous passwords.

Microsoft SQL Server passwords can contain up to 128 characters, including letters, symbols, and digits. Because logins, user names, roles, and passwords are frequently used in Transact-SQL statements, certain symbols must be enclosed by double quotation marks (") or square brackets ([ ]). Use these delimiters in Transact-SQL statements when the SQL Server login, user, role, or password has the following characteristics:

  • Contains or starts with a space character.

  • Starts with the $ or @ character.

If used in an OLE DB or ODBC connection string, a login or password containing special characters must be enclosed in braces and right braces must be escaped. For example, the password my}Pass;word must be specified in the connection string like PWD={my}}Pass;word}.

Password Policy