Never changing the password for distributor_admin for local instance only?
sql-server add tag
James Jenkins (imported from SE) 
Per [Does distributor_admin need sysadmin?](https://topanswers.xyz/databases?q=872) distributor_admin needs SA and per [Can the account name of 'distributor_admin' be changed?](https://topanswers.xyz/databases?q=871) the name can not be changed.

The password is changed with `sp_changedistributor_password` See [sp_changedistributor_password (Transact-SQL)](https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-changedistributor-password-transact-sql?redirectedfrom=MSDN&view=sql-server-2017) for details.


> When the distribution database is contained on a local instance, a random password is generated and configured automatically. [Source](https://docs.microsoft.com/en-us/sql/relational-databases/replication/security/secure-the-distributor?redirectedfrom=MSDN&view=sql-server-2017)

What this all means is that when you have replication on a local instance (*i.e. reporting database*) no one knows what the password is.  It would seem to be impossible to compromise the password. Assuming you are watching for and reporting on failed login attempts, you would know if anyone was trying to brute force the password.  This leads to an argument where there is no good reason to actually change the password on a regular bases.  You might want to change it on day one, if you don't trust the random password generation, but even that could add more risk then it removes, as now the password has been seen and processed with human contact.

Is there a good reason to change the password for distributor_admin for local instance only?
Top Answer
James Jenkins (imported from SE) 
I posted a general question at security.stackexchange [If no one knows a password, is there a reason to change it?](https://security.stackexchange.com/q/219935/24064)  as of this writing it has 3 answers. 

The consensus is, two part

1. If you know that the password can not have been compromised there is no reason to change it.
2. But what if it was compromised and you don't know it.  By not changing you leave your system open forever. 

Examples:

* [someone who was able to access the machine from an unknown vulnerability will have unlimited access to the system, forever.](https://security.stackexchange.com/a/219967/24064)
* [If there is evidence, or at least a reasonable assumpion, that the secret has been compromised. In that case, change it immediately](https://security.stackexchange.com/a/219988/24064)
* [If an admin who could recover (*or change*) the password either moves to another role or leaves the company, the password should be changed immediately thereafter.](https://security.stackexchange.com/a/219936/24064)

> Is there a good reason to change the password for distributor_admin for local instance only?

Yes, if you can change it, someone else can change it and have eternal access. If you have a password changing policy 'distributor_admin' should be included in that policy.
comments
transcript

This room is for discussion about this question.

Once logged in you can direct comments to any contributor here.

Enter question or answer id or url (and optionally further answer ids/urls from the same question) from

Separate each id/url with a space. No need to list your own answers; they will be imported automatically.