Figure 3. Use Passwords to Prevent Sysadmin Users From Decrypting Data. Members of the sysadmin group can impersonate other users by adding an EXECUTE AS USER = 'OtherUser' or EXECUTE AS LOGIN = 'OtherUser' context change instruction to multi- or single-cell decryption instructions. If your data access policies require restricting sysadmin members from viewing confidential data in cleartext, authorized users must manage shared-secret encryption passwords for certificates and keys. SQL Profiler obscures password-protected query text with dashes, as shown here for a batch UPDATE passphrase encryption and single-cell decryption query. However, sysadmin members might be able to gain access to secret passwords by inspecting memory locations.