Michael is definitaly correct. I belive you should NEVER leave the sa password as blank or the default. I deal with sensitive hospital data and all it takes is a curious monkey with time on his hands to tap into your SQL server if the password is not secure.