Password file (?)

SS 2000

Our security guy just asked me for one of the server's "password file".  He's legit.  He wants to make sure all the SQL Server Authentication logins are using strong passwords.  Password file?  There's someplace in SS that stores the passwords unencrypted????  (BTW, if y'all tell me there is, you'll surprise the h**l out of me).

Encrypted, I can buy that.  He says he can crack it.  That makes me uneasy.  Heck, I guess anyone can crack anything, but I sure don't want to have to worry about a system table that someone can crack that easily.

But where does SS store its encrypted password info?  I suppose I can look in BOL, but I wanted to hear some expert commentary on this.
guillotjAsked:
Who is Participating?
 
andrewbleakleyCommented:
If he can't you can use this UDF in future to test new passwords for strength
http://www.novicksoftware.com/UDFofWeek/Vol1/T-SQL-UDF-Volume-1-Number-41-udf_SQL_PasswordIsStrong.htm

If he is a serious bloke he could do what my last SecOff did and reset every login and assign new passwords.

Otherwise switch to Windows Authentication and setup Windows to enforce strong passwords.

I give you these options because I completly agree with acperkins - no comment on cracking the passwords, sorry it would be irresponsible.



0
 
Anthony PerkinsCommented:
First of all the passwords are stored as a hashed value in the sysusers table in the Master database.  They are not encrypted in the sense that they can be unencrypted, but rather hashed.  So the only way they can be broken is with a dictionary attack.
0
 
Anthony PerkinsCommented:
And no I will not tell you where or how you can hack into the SQL Server passwords as that is not permitted on this site.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
guillotjAuthor Commented:
I realized how my question could be interpreted.  I tried to word it very carefully and I certainly never asked how to crack a password.  The information on where the hashed passwords are stored in freely available, I am sure.  I have been in this business a long time, and I abhor the bad guys.  In truth, I was hoping y'all would state very bluntly that it can't be done.  That's what I told my security manager.

I always walk away from flames (my career goes back way before even CompuServe was available) and this is the first time I've been disappointed by a response in this community.  But I think a comment like "And no I will not tell you where or how you can hack into the SQL Server passwords as that is not permitted on this site."  I didn't ask how to hack passwords.  I'm the DBA on all the systems, and I can change passwords to my heart's content...I just wish I could get everyone over to Windows Authentication, but it's a slow slog.

Please guys, let's keep our discourse professional, and save the disrespectful remarks for the wild west Google groups.  Thanks to andrewbleakley for his comment, however, for its respectful and professional tone.

I figured I was going to raise the suspicion of my motives, but I never asked for info on how to crack a password, and I thought I was pretty clear that I disapproved of a manager's actions.  And there are plenty of hacker's sites, I am sure, to go to ask questions like this.  I wouldn't expect to go to a paid site and have this sort of info handed out.  As to where the passwords are stored, this manager guy says there's an unencrypted "password list".  That's silly.  Then he says there's a password list, but SQL Server provides a took in EM to crack the passwords.  That's not just silly, that's stupid.  So why can't y'all just leave it at, "he can't do it".   "no I will not tell you where or how you can hack into the SQL Server passwords" is rude and not worthy of the professional deportment of this site.

Off the record ;-), I think hackers and crackers and whatever they call themselves are the bane of the earth, a bunch of bozos that cost us all time and money and have nothing productive to do.  I also don't care for my security manager's bizarre requests.  So it adds up to a bad day for me.  I just interpreted one of these comments as unnecessarily harsh and condescending, something I'd expect to find in a Google group.  Geez.  Hmmmm.  My first flame.  52 years of age and I took the bait...
0
 
andrewbleakleyCommented:
Sorry if it came harsh or blunt - my day has been long and I got a sniff of some kid trying to do to someone what I have spent all day trying to get fixed.
I apologise if I offended you, clearly I was wrong and you deserved better. I will learn from this lesson in future and ensure I treat each question with the respect it is due regardless of what I suspect.
To answer your question it is quite easy to do and depending on your setup could be done in a number of ways.
Network sniffing has worked in the past for some, dumping the sysusers table and "cracking" the hash, asking the users.
However the best way if you require SQL authentication is to reset the passwords to ones you know to be strong and reassign them. Using the above UDF in future.
Nothing is very secure for very long. Enabling a very strong admin password and restricting access to system tables will be your best bet for keeping you server's secure.

http://www.sqlsecurity.com/DesktopDefault.aspx is a good start to locking down your databases, and watch out for develeoper's we are usually lazy and do stupid things like setup apps to log in with admin rights so we don't have to muck around getting security settings tuned - in fact we are probably your worst enemy in the security of databases - sorry for that as well
0
 
Anthony PerkinsCommented:
I am sorry you took it that way, trust me it was not intended.  You asked where it was stored and I told you, I also explained that it was a hashed value.  Unfortunately, you chose to focus on my second comment.  Perhaps if you had either warned us ahead of time that you were just a DBA or asked us what "hash" meant I could have gone into some length on the subject.

Good luck.
0
 
guillotjAuthor Commented:
Apologies accepted from both gentlemen.  I too have had a frustrating day, and I'm a bit on edge.  Here in Houston, we're trying to get our shuttles flying again, SAFELY, deal with lots and lots of new people on board, new processes, media people everywhere, and I'm just tired and edgy.  I was just whining to my wife.  Poor thing, my safety valve.  I love her.  Anyway, guys, no harm done.  Tomorrow's another day, then it's the WEEKEND!!!!!!

Cheers!!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.