Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Password file (?)

Posted on 2005-05-12
Medium Priority
Last Modified: 2010-03-19
SS 2000

Our security guy just asked me for one of the server's "password file".  He's legit.  He wants to make sure all the SQL Server Authentication logins are using strong passwords.  Password file?  There's someplace in SS that stores the passwords unencrypted????  (BTW, if y'all tell me there is, you'll surprise the h**l out of me).

Encrypted, I can buy that.  He says he can crack it.  That makes me uneasy.  Heck, I guess anyone can crack anything, but I sure don't want to have to worry about a system table that someone can crack that easily.

But where does SS store its encrypted password info?  I suppose I can look in BOL, but I wanted to hear some expert commentary on this.
Question by:guillotj
  • 3
  • 2
  • 2
LVL 75

Expert Comment

by:Anthony Perkins
ID: 13991345
First of all the passwords are stored as a hashed value in the sysusers table in the Master database.  They are not encrypted in the sense that they can be unencrypted, but rather hashed.  So the only way they can be broken is with a dictionary attack.
LVL 75

Expert Comment

by:Anthony Perkins
ID: 13991374
And no I will not tell you where or how you can hack into the SQL Server passwords as that is not permitted on this site.
LVL 11

Accepted Solution

andrewbleakley earned 750 total points
ID: 13992363
If he can't you can use this UDF in future to test new passwords for strength

If he is a serious bloke he could do what my last SecOff did and reset every login and assign new passwords.

Otherwise switch to Windows Authentication and setup Windows to enforce strong passwords.

I give you these options because I completly agree with acperkins - no comment on cracking the passwords, sorry it would be irresponsible.


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.


Author Comment

ID: 13992739
I realized how my question could be interpreted.  I tried to word it very carefully and I certainly never asked how to crack a password.  The information on where the hashed passwords are stored in freely available, I am sure.  I have been in this business a long time, and I abhor the bad guys.  In truth, I was hoping y'all would state very bluntly that it can't be done.  That's what I told my security manager.

I always walk away from flames (my career goes back way before even CompuServe was available) and this is the first time I've been disappointed by a response in this community.  But I think a comment like "And no I will not tell you where or how you can hack into the SQL Server passwords as that is not permitted on this site."  I didn't ask how to hack passwords.  I'm the DBA on all the systems, and I can change passwords to my heart's content...I just wish I could get everyone over to Windows Authentication, but it's a slow slog.

Please guys, let's keep our discourse professional, and save the disrespectful remarks for the wild west Google groups.  Thanks to andrewbleakley for his comment, however, for its respectful and professional tone.

I figured I was going to raise the suspicion of my motives, but I never asked for info on how to crack a password, and I thought I was pretty clear that I disapproved of a manager's actions.  And there are plenty of hacker's sites, I am sure, to go to ask questions like this.  I wouldn't expect to go to a paid site and have this sort of info handed out.  As to where the passwords are stored, this manager guy says there's an unencrypted "password list".  That's silly.  Then he says there's a password list, but SQL Server provides a took in EM to crack the passwords.  That's not just silly, that's stupid.  So why can't y'all just leave it at, "he can't do it".   "no I will not tell you where or how you can hack into the SQL Server passwords" is rude and not worthy of the professional deportment of this site.

Off the record ;-), I think hackers and crackers and whatever they call themselves are the bane of the earth, a bunch of bozos that cost us all time and money and have nothing productive to do.  I also don't care for my security manager's bizarre requests.  So it adds up to a bad day for me.  I just interpreted one of these comments as unnecessarily harsh and condescending, something I'd expect to find in a Google group.  Geez.  Hmmmm.  My first flame.  52 years of age and I took the bait...
LVL 11

Expert Comment

ID: 13992857
Sorry if it came harsh or blunt - my day has been long and I got a sniff of some kid trying to do to someone what I have spent all day trying to get fixed.
I apologise if I offended you, clearly I was wrong and you deserved better. I will learn from this lesson in future and ensure I treat each question with the respect it is due regardless of what I suspect.
To answer your question it is quite easy to do and depending on your setup could be done in a number of ways.
Network sniffing has worked in the past for some, dumping the sysusers table and "cracking" the hash, asking the users.
However the best way if you require SQL authentication is to reset the passwords to ones you know to be strong and reassign them. Using the above UDF in future.
Nothing is very secure for very long. Enabling a very strong admin password and restricting access to system tables will be your best bet for keeping you server's secure.

http://www.sqlsecurity.com/DesktopDefault.aspx is a good start to locking down your databases, and watch out for develeoper's we are usually lazy and do stupid things like setup apps to log in with admin rights so we don't have to muck around getting security settings tuned - in fact we are probably your worst enemy in the security of databases - sorry for that as well
LVL 75

Expert Comment

by:Anthony Perkins
ID: 13992882
I am sorry you took it that way, trust me it was not intended.  You asked where it was stored and I told you, I also explained that it was a hashed value.  Unfortunately, you chose to focus on my second comment.  Perhaps if you had either warned us ahead of time that you were just a DBA or asked us what "hash" meant I could have gone into some length on the subject.

Good luck.

Author Comment

ID: 13993116
Apologies accepted from both gentlemen.  I too have had a frustrating day, and I'm a bit on edge.  Here in Houston, we're trying to get our shuttles flying again, SAFELY, deal with lots and lots of new people on board, new processes, media people everywhere, and I'm just tired and edgy.  I was just whining to my wife.  Poor thing, my safety valve.  I love her.  Anyway, guys, no harm done.  Tomorrow's another day, then it's the WEEKEND!!!!!!


Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A Stored Procedure in Microsoft SQL Server is a powerful feature that it can be used to execute the Data Manipulation Language (DML) or Data Definition Language (DDL). Depending on business requirements, a single Stored Procedure can return differe…
Ready to get certified? Check out some courses that help you prepare for third-party exams.
Using examples as well as descriptions, and references to Books Online, show the different Recovery Models available in SQL Server and explain, as well as show how full, differential and transaction log backups are performed
Via a live example, show how to setup several different housekeeping processes for a SQL Server.
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question