22.1. Security Basics
I'm sure that a fair amount of what we're going to look into in this section is going to seem exceedingly stupid—I mean, won't everyone know this stuff? Judging by how often I see violations of even the most simple of these rules, I would say, "No, apparently they don't." All I can ask is that you bear with me, and don't skip ahead. As seemingly obvious as some of this stuff is, you'd be amazed how often it gets forgotten or just plain ignored.
Among the different basics that we'll look at here are:
One person, one login ID, one password
Password length and makeup
Number of attempts to log in
Storage of user ID and password information
22.1.1. One Person, One Login, One Password
It never ceases to shock me how, everywhere I go, I almost never fail to find that the establishment has at least one "global" user—some login into the network or particular applications that is usually known by nearly everyone in the department or even the whole company. Often, this "global" user has carte blanche (in other words, complete) access. For SQL Server, it used to be common that installations hadn't even bothered to set the sa password to something other than a blank password. This is a very bad scenario indeed.
Prior to SQL Server 2000, the default password for the sa account was null—that is, it didn't have one. Thankfully, SQL Server 2000 not only changed this default, SQL Server will now proactively tell you that you are effectively being an idiot ...