If you hold a key copy encrypted by a login password on one or more keys, you need not modify the key copies after you have changed your login password. As part of changing the login password, sp_password decrypts your key copies with your old login password and reencrypts them using the new login password.
If the SSO uses sp_password to change your password without supplying your old password, sp_password drops your key copies. This prevents an administrator from gaining access to a key through a known password. After a mandatory password change of this kind, the key custodian must use alter encryption key to add a key copy for login_association for the user whose password is changed. sp_password ignores offline databases and, for keys stored in offline databases, the key custodian follows the steps for recovering a lost key copy password when the database comes back online. See “Loss of login password”.
The key custodian may also need to perform these steps when a user’s password is changed after the server is started using the -p flag. If the SSO, who uses the -p flag also has access to keys through key copies encrypted with his or her login password, then the key custodian must drop and re-create the SSO’s key copies.
