You all know about the passphrase in SharePoint (2010 and later) right? You name it during farm Creation using Powershell or the Config Wizard. It must be a complicated string of characters and it has to hold a certain length (exact requirements stated below)
Do we really need it?
Since you can replace the passphrase (Change your PassPhrase using PowerShell) without having the old one, all you need is to be a member of the farm administrators SharePoint Group. So…the use of the PassPhrase is what? You don’t need to save it since all you have to do when it is required (join farm) is to change it…and if you have the passphrase, you still have to enter the farm account (Database Access Account) username and password, so you still need the permissions…
The Passphrase in SharePoint 2013 Preview is described as:
(From the ‘Deployment guide for Microsoft SharePoint 2013 Preview’)
Although a passphrase resembles a password, it is usually longer to improve security. It is used to encrypt credentials of accounts that are registered in SharePoint 2013 Preview. For example, the SharePoint 2013 Preview system account that you provide when you run the SharePoint Products Configuration Wizard. Ensure that you remember the passphrase, because you must use it every time that you add a server to the farm.
Ensure that the passphrase meets the following criteria:
- Contains at least eight characters
- Contains at least three of the following four character groups:
- English uppercase characters (from A through Z)
- English lowercase characters (from a through z)
- Numerals (from 0 through 9)
- Nonalphabetic characters (such as !, $, #, %)
So…now that you have read all this, do we really need it? Why bother? Is it one more layer of real security or more more layer of persieved security?
-It’s easily replaced/reset (see Change your PassPhrase using PowerShell)
-You still need the farmaccount credentials to join
-It’s seldom used and thus easily lost (in real life! yes)
-For the encryption purposes, SharePoint could use a random key that you never have to see or know about…
3 thoughts on “Passphrases in SharePoint- why do we bother?”
I have exactly the same thoughts each time I install or extend a farm. A random encryption key just makes sense.
The passwords for the Managed Accounts are never presented in plain text anyway and, as you say, you need the farm or setup account password anyway.
Thanks! Funny thing, I actually presented this theory to the guy in the product group who had created and implemented the passphrases, and he was furious at me for even thinking that 😃
Hate to say it, whatever you do, don’t lose it because if you restore from a backup you will need it for sure (real life). So if you take over a SharePoint implementation from someone else just go and change the passphrase, do your Microsoft mumbling, and carry on. Just saying…