Microsoft KB Archive/105001

FIX: sp_password Does Not Validate Old Password

PSS ID Number: Q105001 Article last modified on 10-31-1994

4.20

WINDOWS

BUG# NT: 485 (4.2)

= SYMPTOMS =

The sa can use sp_password to change another logins password. If the sa supplies an invalid old password, SQL Server will change the password to the new value, then issue the error message:

Password has been changed.

= CAUSE =

The sa user is the only login allowed to specify a login parameter with sp_password. In this case, the documentation states that sp_password will validate the old password if it is given, and reject it if wrong. sp_password is issuing the error message, but not stopping the password change.

This applies only to sa, as that is the only login capable of changing the password for another login. All other logins can only change their own password, and in this case the password validation is operating correctly.

= WORKAROUND =

Connect to SQL Server using the login ID whose password you desire to change, and execute sp_password without specifying the login_id parameter, similar to the following:

sp_password oldpassword, newpassword

When executed this way, sp_password does validate the old password.

= STATUS =

Microsoft has confirmed this to be a problem in Microsoft SQL Server version 4.2. This problem was corrected in SQL Server version 4.21. For more information, contact your primary support provider.

Additional reference words: 4.20 Windows NT KBCategory: kbprg KBSubcategory: SSrvWinNT

=
================================================================

Copyright Microsoft Corporation 1994.