Re: sa password

A hash function converts a variable length input stream (a password in this
case) to a fixed length value. The function is sometimes called one-way,
which means it should be easy to create the hash but very difficult to
determine the input (in this case a password) from the hash. It should be
easier to do a brute force search of all passwords to find one that produces
the same hash. A good hash function produces very different hashes even if
the input is only slightly different, and has few collisions, meaning cases
where two inputs produce the same hash value, and produces values that
appear random.

The SHA algorithm referred to in the article you link produces a 160-bit
hash, hence the 40 character hash strings (actually 20 hexidecimal
characters). This is better than MD5 which produces a 128-bit hash. A brute
force attach of an MD5 hash would require 2^64 operations, which is
feasible, but a brute force attach of an SHA hash would require 2^80
operations, which is more difficult.

The article you linked is disturbing. Knowing that the second hash is
limited to uppercase characters makes a brute force attach much easier.

Does anyone know why an upper case version of the password should be saved?
Are there any cases where the password is not case sensitive?

Note the article only applies to SQL Server 2000.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--

"CLM" <CLM@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:5AF336F9-8C05-4D38-B1DD-BEC79DBEA0A5@xxxxxxxxxxxxxxxx
Nevermind. I just found this sobering article all about it!

http://www.nextgenss.com/papers/cracking-sql-passwords.pdf



"CLM" wrote:

Sorry, but what do you mean by password hash??

"Ben Nevarez" wrote:


The password hash is stored on the master database and only sysadmin
has
access to it.

You can use some tools to find out the password but depending on its
complexity it can take days or weeks. But you need to have the password
hash
first.

Hope this helps,

Ben Nevarez
Senior Database Administrator
AIG SunAmerica



"CLM" wrote:

Let's say that you create an instance - and I'd be curious of the
answers for
both 2000 and 2005 - in Mixed Mode. If I remember right, the sa
password is
stored on disk but is encrypted. Is that encryption really that
powerful?
Isn't this a huge security risk? Given a few days, couldn't any
decent
cracker break one password that is decrypted?


.

Relevant Pages

  • Re: Some comments on "super fast hash"
    ... SFH seems reasonably good and certainly is fast. ... > a hash, and SFH does not. ... The latest versions of each hash function which leverages this ... it must behave worse on other key sets. ...
    (comp.programming)
  • Some comments on "super fast hash"
    ... I've implemented a hash function here: ... SFH seems reasonably good and certainly is fast. ... quality of the hash function is not affected by the difference as far ... it must behave worse on other key sets. ...
    (comp.programming)
  • Re: Maximum String size in Java?
    ... >> compilation on any new target platform that does not already have ... Do you have a version of SFH posted with changes to use this file ... If they intend to use a hash ... benefit of 31/33 will sway me into using more than one hash function. ...
    (comp.programming)
  • Re: Suggestions for double-hashing scheme
    ... chain style and reprobe style are basically a wash. ... will be a smaller chance of encountering deleted entries before it. ... Once you sufficiently optimize a hash table, ... by computing of the hash function). ...
    (comp.programming)
  • Re: Maximum String size in Java?
    ... The hash function will *NOT* have the minimal collision ... > for long strings, so on average, SFH bakes it in the performance ...
    (comp.programming)