Review password generation strategy for SQL server

Azure / reliable-web-app-pattern-dotnet

The Reliable Web App Pattern is a set of objectives to help your web application converge on the cloud. This repo contains a reference implementation of a reliable web application for .NET.

https://aka.ms/eap/rwa/dotnet/doc

MIT License

387 stars 121 forks source link

Review password generation strategy for SQL server #32

Closed rfrazier closed 2 years ago

rfrazier commented 2 years ago

Issue

The SQL server password is deterministic and there may be a more secure way to generate this data.

KSchlobohm commented 2 years ago

todo - replace uniqueString with azd password feature shown here https://github.com/Azure-Samples/todo-csharp-sql/blob/main/infra/main.parameters.json#L15

mcollier commented 2 years ago

FYI - while attempting to deploy I did get a failure due to the generated password not meeting the requirements.

Deployment Error Details:
PasswordNotComplex: Password validation failed. The password does not meet policy requirements because it is not complex enough.

The generated password contained lowercase and uppercase letters only (no number or special character).

KSchlobohm commented 2 years ago

Thanks for reporting this @mcollier! I saw that error once in an integration test and couldn't get the specific details we needed to make this actionable. Will open as a specific issue we can address

KSchlobohm commented 2 years ago

The templates provide a default, and the guide explains how you can override that default with your own custom password.