Re: Passwords not case sensitive?

From: Jasper Smith (jasper_smith9_at_hotmail.com)
Date: 10/31/05

  • Next message: Gabe Matteson: "Log Shipping or Replication" 
    Date: Mon, 31 Oct 2005 21:41:15 -0000

    SQL Server 2000 maintains two versions of each login password. One is the
    actual password supplied by the user, and the other is the password
    converted by to all uppercase letters. This enables case-insensitive
    validation of passwords (for case insensitive collations). Although this
    behavior is convenient for many users, it makes password-guessing attacks
    easier by reducing the number of possible passwords

    In SQL 2005 only the actual password is stored. A password entered by a user
    must match the password stored in the server (regardless of collation,
    however the username can still be in a different case). If a password does
    not match the password stored in SQL Server, the login fails. If the precise
    case of the password characters is forgotten, the password must be reset. 

    -- 
HTH
Jasper Smith (SQL Server MVP)
http://www.sqldbatips.com
I support PASS - the definitive, global
community for SQL Server professionals -
http://www.sqlpass.org
"Ben" <ben_1_ AT hotmail DOT com> wrote in message 
news:0E632896-37E7-4EA0-8022-5AC2D4230F84@microsoft.com...
>I have a server that uses specific login/passwords.  And through random
> testing i noticed that the passwords are not case sensitive.  Can this be
> changed so that the passwords ARE case sensitive?
>
> thanks,
> Ben
  • Next message: Gabe Matteson: "Log Shipping or Replication"