密碼原則Password Policy

適用於: 是SQL Server 否Azure SQL Database 否Azure SQL 資料倉儲 否平行處理資料倉儲 APPLIES TO: yesSQL Server noAzure SQL Database noAzure SQL Data Warehouse noParallel Data Warehouse

[SQL Server]SQL Server 可以使用 Windows 密碼原則機制。 can use Windows password policy mechanisms. 密碼原則適用於使用 [SQL Server]SQL Server 驗證的登入,以及適用於具有密碼的自主資料庫使用者。The password policy applies to a login that uses [SQL Server]SQL Server authentication, and to a contained database user with password.

[SQL Server]SQL Server 可將 Windows 所使用的相同複雜性和到期原則套用於 [SQL Server]SQL Server內部使用的密碼。 can apply the same complexity and expiration policies used in Windows to passwords used inside [SQL Server]SQL Server. 這項功能取決於 NetValidatePasswordPolicy API。This functionality depends on the NetValidatePasswordPolicy API.

SQL DatabaseSQL Database 會強制執行密碼複雜性。 enforces password complexity. 密碼到期和原則強制執行區段不會套用到 SQL DatabaseSQL DatabaseThe password expiration and policy enforcement sections do not apply to SQL DatabaseSQL Database.

密碼複雜性Password Complexity

密碼複雜性原則是為了阻止暴力攻擊而設計,方法是盡可能地增加密碼數目。Password complexity policies are designed to deter brute force attacks by increasing the number of possible passwords. 當強制執行密碼複雜性原則時,新的密碼必須符合下列指導方針:When password complexity policy is enforced, new passwords must meet the following guidelines:

  • 密碼不包含使用者的帳戶名稱。The password does not contain the account name of the user.

  • 密碼長度至少為八個字元。The password is at least eight characters long.

  • 密碼包含下列四種類別的其中三種:The password contains characters from three of the following four categories:

    • 拉丁文大寫字母 (A 到 Z)。Latin uppercase letters (A through Z)

    • 拉丁文小寫字母 (a 到 z)。Latin lowercase letters (a through z)

    • 以 10 為基底的數字 (0 到 9)。Base 10 digits (0 through 9)

    • 非英數字元,例如:驚嘆號 (!)、錢幣符號 ($)、數字符號 (#) 或百分比符號 (%)。Non-alphanumeric characters such as: exclamation point (!), dollar sign ($), number sign (#), or percent (%).

    密碼長度最多可達 128 個字元。Passwords can be up to 128 characters long. 您應該盡可能使用長且複雜的密碼。You should use passwords that are as long and complex as possible.

密碼過期Password Expiration

密碼過期原則用於管理密碼的壽命。Password expiration policies are used to manage the lifespan of a password. [SQL Server]SQL Server 強制執行密碼到期原則時,系統會提醒使用者變更舊密碼和停用有過期密碼的帳戶。When [SQL Server]SQL Server enforces password expiration policy, users are reminded to change old passwords, and accounts that have expired passwords are disabled.

原則強制執行Policy Enforcement

可個別對每一個 SQL Server 登入設定密碼原則的強制執行。The enforcement of password policy can be configured separately for each SQL Server login. 使用 ALTER LOGIN (Transact-SQL) 來設定 SQL Server 登入的密碼原則選項。Use ALTER LOGIN (Transact-SQL) to configure the password policy options of a SQL Server login. 下列規則會套用至密碼原則強制執行的組態:The following rules apply to the configuration of password policy enforcement:

  • 當 CHECK_POLICY 改為 ON 時,會發生下列行為:When CHECK_POLICY is changed to ON, the following behaviors occur:

    • CHECK_EXPIRATION 也會設為 ON,除非它已明確設為 OFF。CHECK_EXPIRATION is also set to ON unless it is explicitly set to OFF.

    • 密碼記錄會使用目前密碼雜湊的值來初始化。The password history is initialized with the value of the current password hash.

    • [帳戶鎖定期間]、[帳戶鎖定閾值] 和 [重設帳戶鎖定計數器的時間] 也會啟用。Account lockout duration, account lockout threshold, and reset account lockout counter after are also enabled.

  • 當 CHECK_POLICY 改為 OFF 時,會發生下列行為:When CHECK_POLICY is changed to OFF, the following behaviors occur:

    • CHECK_EXPIRATION 也會設為 OFF。CHECK_EXPIRATION is also set to OFF.

    • 會清除密碼記錄。The password history is cleared.

    • 會重設 lockout_time 的值。The value of lockout_time is reset.

    有些原則選項組合不受支援。Some combinations of policy options are not supported.

  • 如果指定 MUST_CHANGE,則 CHECK_EXPIRATION 和 CHECK_POLICY 必須設為 ON。If MUST_CHANGE is specified, CHECK_EXPIRATION and CHECK_POLICY must be set to ON. 否則,陳述式便會失敗。Otherwise, the statement will fail.

  • 如果 CHECK_POLICY 設為 OFF,CHECK_EXPIRATION 就不可設為 ON。If CHECK_POLICY is set to OFF, CHECK_EXPIRATION cannot be set to ON. 具有這些選項組合的 ALTER LOGIN 陳述式會失敗。An ALTER LOGIN statement that has this combination of options will fail.

    設定 CHECK_POLICY = ON 將阻止建立密碼:Setting CHECK_POLICY = ON will prevent the creation of passwords that are:

  • Null 或空白Null or empty

  • 與電腦或登入名稱相同Same as name of computer or login

  • 下列其中之一:"password"、"admin"、"administrator"、"sa"、"sysadmin"Any of the following: "password", "admin", "administrator", "sa", "sysadmin"

    安全性原則可能是在 Windows 中設定的,也可能是從網域收到的。The security policy might be set in Windows, or might be received from the domain. 若要檢視電腦上的密碼原則,請使用 [本機安全性原則] MMC 嵌入式管理單元 (secpol.msc)。To view the password policy on the computer, use the Local Security Policy MMC snap-in (secpol.msc).

CREATE LOGIN (Transact-SQL)CREATE LOGIN (Transact-SQL)

ALTER LOGIN (Transact-SQL)ALTER LOGIN (Transact-SQL)

CREATE USER (Transact-SQL)CREATE USER (Transact-SQL)

ALTER USER (Transact-SQL)ALTER USER (Transact-SQL)

建立登入Create a Login

建立資料庫使用者Create a Database User

增強式密碼Strong Passwords