Re: sa password
- From: "Russell Fields" <russellfields@xxxxxxxxxx>
- Date: Thu, 8 Nov 2007 14:42:03 -0500
Richard and others,
SQL Server 2000 uses the second hash to support making the passwords Case
Insensitive (by turning them to all uppercase) and checking against that
also. Is it needed? No, not in SQL Server 2005, which no longer supports
that back-level behaviour.
One side effect of an upgrade to SQL Server 2005 is that some SQL Logins
will have problems since the users (or some application's proxy account
password) did not know the proper capitalization of their passwords.
RLF
"Richard Mueller [MVP]" <rlmueller-nospam@xxxxxxxxxxxxxxxxxxxx> wrote in
message news:%237OeIsjIIHA.1208@xxxxxxxxxxxxxxxxxxxxxxx
A hash function converts a variable length input stream (a password in this
case) to a fixed length value. The function is sometimes called one-way,
which means it should be easy to create the hash but very difficult to
determine the input (in this case a password) from the hash. It should be
easier to do a brute force search of all passwords to find one that
produces the same hash. A good hash function produces very different hashes
even if the input is only slightly different, and has few collisions,
meaning cases where two inputs produce the same hash value, and produces
values that appear random.
The SHA algorithm referred to in the article you link produces a 160-bit
hash, hence the 40 character hash strings (actually 20 hexidecimal
characters). This is better than MD5 which produces a 128-bit hash. A
brute force attach of an MD5 hash would require 2^64 operations, which is
feasible, but a brute force attach of an SHA hash would require 2^80
operations, which is more difficult.
The article you linked is disturbing. Knowing that the second hash is
limited to uppercase characters makes a brute force attach much easier.
Does anyone know why an upper case version of the password should be
saved? Are there any cases where the password is not case sensitive?
Note the article only applies to SQL Server 2000.
--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--
"CLM" <CLM@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:5AF336F9-8C05-4D38-B1DD-BEC79DBEA0A5@xxxxxxxxxxxxxxxx
Nevermind. I just found this sobering article all about it!
http://www.nextgenss.com/papers/cracking-sql-passwords.pdf
"CLM" wrote:
Sorry, but what do you mean by password hash??
"Ben Nevarez" wrote:
The password hash is stored on the master database and only sysadmin
has
access to it.
You can use some tools to find out the password but depending on its
complexity it can take days or weeks. But you need to have the
password hash
first.
Hope this helps,
Ben Nevarez
Senior Database Administrator
AIG SunAmerica
"CLM" wrote:
Let's say that you create an instance - and I'd be curious of the
answers for
both 2000 and 2005 - in Mixed Mode. If I remember right, the sa
password is
stored on disk but is encrypted. Is that encryption really that
powerful?
Isn't this a huge security risk? Given a few days, couldn't any
decent
cracker break one password that is decrypted?
.
- References:
- Re: sa password
- From: Richard Mueller [MVP]
- Re: sa password
- Prev by Date: Re: sa password
- Next by Date: Re: Column Level Permissions Security Issue
- Previous by thread: Re: sa password
- Next by thread: Re: Error 18456
- Index(es):
Relevant Pages
|
|
