密码策略Password Policy

适用对象:是SQL Server 否Azure SQL 数据库 否Azure Synapse Analytics (SQL DW) 否并行数据仓库APPLIES TO: yesSQL Server noAzure SQL Database noAzure Synapse Analytics (SQL DW) noParallel Data Warehouse

SQL ServerSQL Server 可以使用 Windows 密码策略机制。can use Windows password policy mechanisms. 密码策略应用于使用 SQL ServerSQL Server 身份验证的登录名,并且应用于具有密码的包含数据库用户。The password policy applies to a login that uses SQL ServerSQL Server authentication, and to a contained database user with password.

SQL ServerSQL Server 可以对在 SQL ServerSQL Server内部使用的密码应用在 Windows 中使用的相同复杂性策略和过期策略。can apply the same complexity and expiration policies used in Windows to passwords used inside SQL ServerSQL Server. 此功能取决于 NetValidatePasswordPolicy API。This functionality depends on the NetValidatePasswordPolicy API.

备注

SQL 数据库SQL Database 强制实施密码复杂性。enforces password complexity. 密码过期和策略实施部分不适用于 SQL 数据库SQL DatabaseThe password expiration and policy enforcement sections do not apply to SQL 数据库SQL Database.

密码复杂性Password Complexity

密码复杂性策略通过增加可能密码的数量来阻止强力攻击。Password complexity policies are designed to deter brute force attacks by increasing the number of possible passwords. 实施密码复杂性策略时,新密码必须符合以下原则:When password complexity policy is enforced, new passwords must meet the following guidelines:

  • 密码不得包含用户的帐户名。The password does not contain the account name of the user.

  • 密码长度至少为八个字符。The password is at least eight characters long.

  • 密码包含以下四类字符中的三类:The password contains characters from three of the following four categories:

    • 拉丁文大写字母 (A - Z)Latin uppercase letters (A through Z)

    • 拉丁文小写字母 (a - z)Latin lowercase letters (a through z)

    • 10 个基本数字 (0 - 9)Base 10 digits (0 through 9)

    • 非字母数字字符,如感叹号 (!)、美元符号 ($)、数字符号 (#) 或百分号 (%)。Non-alphanumeric characters such as: exclamation point (!), dollar sign ($), number sign (#), or percent (%).

密码可最长为 128 个字符。Passwords can be up to 128 characters long. 使用的密码应尽可能长,尽可能复杂。Use passwords that are as long and complex as possible.

密码过期Password Expiration

密码过期策略用于管理密码的使用期限。Password expiration policies are used to manage the lifespan of a password. 如果 SQL ServerSQL Server 实施密码过期策略,则系统将提醒用户更改旧密码,并禁用带有过期密码的帐户。When SQL ServerSQL Server enforces password expiration policy, users are reminded to change old passwords, and accounts that have expired passwords are disabled.

策略实施Policy Enforcement

可为每个 SQL Server 登录名单独配置密码策略实施。The enforcement of password policy can be configured separately for each SQL Server login. 使用 ALTER LOGIN (Transact-SQL) 来配置 SQL Server 登录名的密码策略选项。Use ALTER LOGIN (Transact-SQL) to configure the password policy options of a SQL Server login. 配置密码策略实施时,适用以下规则:The following rules apply to the configuration of password policy enforcement:

  • 如果 CHECK_POLICY 改为 ON,则将出现以下行为:When CHECK_POLICY is changed to ON, the following behaviors occur:

    • 除非将 CHECK_EXPIRATION 显式设置为 OFF,否则也会将其设置为 ON。CHECK_EXPIRATION is also set to ON unless it is explicitly set to OFF.

    • 用当前的密码哈希值初始化密码历史记录。The password history is initialized with the value of the current password hash.

    • 还将启用帐户锁定时间, 帐户锁定阈值在此后重置帐户锁定计数器Account lockout duration, account lockout threshold, and reset account lockout counter after are also enabled.

  • 如果 CHECK_POLICY 改为 OFF,则将出现以下行为:When CHECK_POLICY is changed to OFF, the following behaviors occur:

    • CHECK_EXPIRATION 也设置为 OFF。CHECK_EXPIRATION is also set to OFF.

    • 清除密码历史记录。The password history is cleared.

    • lockout_time 的值被重置。The value of lockout_time is reset.

不支持策略选项的某些组合。Some combinations of policy options are not supported.

  • 如果指定 MUST_CHANGE,则 CHECK_EXPIRATION 和 CHECK_POLICY 必须设置为 ON。If MUST_CHANGE is specified, CHECK_EXPIRATION and CHECK_POLICY must be set to ON. 否则,该语句将失败。Otherwise, the statement fails.

  • 如果 CHECK_POLICY 设置为 OFF,则 CHECK_EXPIRATION 不能设置为 ON。If CHECK_POLICY is set to OFF, CHECK_EXPIRATION cannot be set to ON. 包含此选项组合的 ALTER LOGIN 语句将失败。An ALTER LOGIN statement that has this combination of options will fail.

  • 设置 CHECK_POLICY = ON 将禁止创建以下类型的密码:Setting CHECK_POLICY = ON prevents the creation of passwords that are:

    • 为 NULL 或空Null or empty

    • 与计算机名或登录名相同Same as name of computer or login

    • 下列任意项:“password”、“admin”、“administrator”、“sa”、“sysadmin”Any of the following: "password", "admin", "administrator", "sa", "sysadmin"

可以在 Windows 中设置安全策略,也可以从域接收安全策略。The security policy might be set in Windows, or might be received from the domain. 若要查看计算机上的密码策略,请使用本地安全策略 MMC 管理单元 (secpol.msc)。To view the password policy on the computer, use the Local Security Policy MMC snap-in (secpol.msc).

CREATE LOGIN (Transact-SQL)CREATE LOGIN (Transact-SQL)

ALTER LOGIN (Transact-SQL)ALTER LOGIN (Transact-SQL)

CREATE USER (Transact-SQL)CREATE USER (Transact-SQL)

ALTER USER (Transact-SQL)ALTER USER (Transact-SQL)

创建一个登录名Create a Login

创建数据库用户Create a Database User

强密码Strong Passwords