nyphalanx
asked on
How can I encrypt SQL Server Authentication credentials?
We have a SQL Server 2005 server which is not part of a domain. We want to use SQL Server Authentication in order to connect to this server, but want the login credentials to be encrypted when the connection attempts to the servers are made so that no one can sniff out the credentials. Using Windows Authentication is not an option at all.
This is a highly sensitive server and we want to ensure that no one will be able to sniff out the login credentials as a user attempts to connect to the SQL Server, this is why we need to be able to encrypt the credentials as the connection attempt is made.
This is a highly sensitive server and we want to ensure that no one will be able to sniff out the login credentials as a user attempts to connect to the SQL Server, this is why we need to be able to encrypt the credentials as the connection attempt is made.
Chris Mangus
How are you accessing the server? Perhaps SSL is your answer.
The issue that you have is that SQL Authentication uses a hash, not encryption, for passwords.
FROM http://blogs.msdn.com/lcris/archive/2007/04/30/sql-server-2005-about-login-password-hashes.aspx
When a login occurs, the password submitted by the user is hashed and compared to the stored hash - if they match, the password is accepted and the login succeeds.
You can encrypt the connection string
http://msdn2.microsoft.com/en-us/library/ms998300.aspx
To help make sure that the SQL account credentials remain confidential, you should encrypt the connection string in the Web.config file. To do so, you use the Aspnet_regiis utility with either the Windows Data Protection API (DPAPI) or RSA protected configuration providers.
FROM http://blogs.msdn.com/lcris/archive/2007/04/30/sql-server-2005-about-login-password-hashes.aspx
When a login occurs, the password submitted by the user is hashed and compared to the stored hash - if they match, the password is accepted and the login succeeds.
You can encrypt the connection string
http://msdn2.microsoft.com/en-us/library/ms998300.aspx
To help make sure that the SQL account credentials remain confidential, you should encrypt the connection string in the Web.config file. To do so, you use the Aspnet_regiis utility with either the Windows Data Protection API (DPAPI) or RSA protected configuration providers.
BOL has a topic on it at: ms-help://MS.SQLCC.v9/MS.S
ASKER
I'm not concerned about having the connection string encrypted inside my web.config or any other type of configuration file. I just want to be sure that it is not in plain text as the connection is made accross the network. Reading ptjcb's reply SQL Authentication uses a hash? So does this mean that as the connection is made to SQL Server that the login credentials are not sent accross in plain text, is this the default behavior?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
How are you making the connection across the network? Is this an internal network or is it connected using the Web? Are you using SSL, ASP.NET?
The default login credentials are in plain text.
The default login credentials are in plain text.
ASKER
It is an internal network, and we're just using a VBA excel program to make our database connections. We just want to make sure that even though we're using SQL Server authentication that the password is not sent accross the network in plain text.
Just from your description, I would say that, yes, you are sending the connection information across as plain text.
Are you using ODBC? SQL Server Native connection? Are you using a connection string? How is the Excel program accessing the server?
Are you using ODBC? SQL Server Native connection? Are you using a connection string? How is the Excel program accessing the server?