How many databases in the world do you think are storing your personal information? Tens? Hundreds? Thousands? I have no clue what the answer is but my guess is it’s closer to thousands than tens. Why is this an interesting question?
In my line of work I speak with lots of DBAs and I’m absolutely shocked how many times I hear a DBA say they never change the password on service accounts or admin accounts. I had one DBA admit they hadn’t changed an Admin password in almost ten years! The reason almost always given is “it’s hard”
To be blunt this is ignorant, lazy, unprofessional and borderline negligent. I won’t apologize for being harsh and I’m sure some readers will come away offended by this; a risk I’m willing to take given the seriousness of the topic. DBAs are highly skilled and well paid professionals – relatively speaking – and they should take the responsibility of data steward as serious as a heart attack.
I’m sure some of you will fire back that we (Microsoft) should provide better tools for this. I don’t disagree, but this is not an acceptable excuse for poor security practices. A simple search, using your favorite search engine, will yield thousands of results for how to change service accounts and password and there are even lots of sample scripts (VB, PowerShell, etc.). There is no excuse for sticking your head in the sand and repeating “it’s hard” over and over. You’re sitting on a ticking time bomb with no clue when it’ll go off. I hope you keep your resume up to date.
This isn’t a global indictment of all DBAs. There are lots of DBAs who approach their responsibility with seriousness and professionalism. They rotate service accounts and change passwords on a regular interval (45 days, 60 days, 90 days, etc.). I’m certain the first time they did this it was painful but each time it became more automated, easier, and took less time.
There are exceptions to every rule so if you’re following a different practice for securing logins kudos! But if you have logins that have or are allowed to have stale passwords I urge you, no, I beg you to take immediate action! Take action before it’s too late – before you have a security breach. I’m sure your like me and you don’t want your data in unauthorized hands.
Finally, if you’re one of these DBAs with lax security policies you better hope I never end up managing your group; your first task will be to update your resume. Something things deserve zero tolerance.
And throw in the fact that many folks use the same one password for all their web sites, too. Hack any one system, and you've got somebody's login everywhere.
Two software pieces to plug here - KeePass and 1Password, both of which are cross-platform password managers that will generate strong passwords for each site and tool you use, retrieve them quickly, and store encrypted backups on your favorite media or file sync services. 1Password even has iPhone/iPad apps so you can use your passwords anywhere. Good stuff.
I completely agree with you on how important this is! Last month I wrote a post on how to change the SQL Server Service Account with PowerShell through the SMO. The script can be easily adapted to change the passwords on multiple machines: