An administrator can choose to “expire” passwords in syslogins at the end of the password downgrade period to void copies of password in backups, transaction logs, and other persistent storage where they were kept with the old algorithm.
To configure login passwords to expire, use:
sp_passwordpolicy "expire login passwords"[, "[loginame | wildcard]"
To configure role passwords to expire, use:
sp_passwordpolicy "expire role passwords"[, "[rolename | wildcard]"
Expiration of passwords can be tuned to expire passwords of logins and roles with passwords that have not been changed after a datetime specified.
To configure stale login passwords to expire, use:
sp_passwordpolicy "expire stale login passwords", "datetime"
To configure stale role passwords to expire, use:
sp_passwordpolicy "expire stale role passwords", "datetime"
By executing sp_passwordpolicy "expire stale login passwords" and setting the datetime parameter with the value when the password downgrade period ended, then all login passwords that have not changed since that time will have their passwords expired. The benefit of expiring passwords after the password downgrade period ends is to require the user to change to a different password thereby making the old password useless. Additionally, this is done without requiring additional actions by the administrator.
A password that is encrypted with the old algorithm during the password downgrade period may remain in old pages, transaction logs, and other storage in the less securely encrypted form. An old password that is different than the current password prevents successful exploits on the old encryption algorithm by making the old password useless.
A stronger approach for the administrator to take is to lock stale logins or roles; however this would require the administrator to reset the password manually for legitimate users to access their login account again.
