Dual Control Password Management Option

Two distinct administrative users are required to generate each part of the new password. It is the combination of the two parts that become the new password for the target user. The same user cannot generate both password parts. If the same user attempts to define both password parts, the server displays an error message, and the second password part is not set.

If the server is restarted after the first password part is specified, but before the second password part is specified, the first password part is not lost. When the second password part is specified by a different user, the dual password change process completes successfully. The target user can then log in using the combined password parts.

Once initiated, generation of the dual passwords for the target user can be cancelled by specifying "NULL" as the password, as long as the user has been granted the CHANGE PASSWORD system privilege, and the right to manage the password of the target user.

Each administrative user setting a password part must notify the target user of the new password part and indicate whether it is the first or second part. To use the password, the target user enters the dual password in first part, second part order. There is a 127-character limit for each part.

If the target user is not logged in when the dual password change process completes, he or she simply logs on. Once the dual password is accepted, the user is immediately prompted to change his or her password. This provides the final level of password security. If the user is already logged in when the dual password change process completes, the user can use the ALTER USER or GRANT CONNECT statements, or the sp_password or sp_iqpassword system procedures to change the password. At the prompt for the current password, type the new dual part passwords, not the password originally entered for the current session.

The Change Password Dual Control option is enabled in a login policy.