Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

apps based on ms-sql, authentication question

Posted on 2011-03-07
9
Medium Priority
?
427 Views
Last Modified: 2013-11-05
Can I ask, if say you had an asp.net app, with sql 2005 instance that was the backend database for this basic payroll web application... and users need to login to the app with username/password.... are the users passwords typically hashed in the same table as those where you get the default sql accounts password hash like sa.

Also, what type of query is executed against the backend database when a user tries to login to such a web app, is it a a SELECT query against the password hash table? Or something different? Would there be a field in the table that has a default page to grant access to if username and password match a pair in the table, or a link to an error page if the username/password was wrong? How does the authentication query work and proceed based on if its a valid password or not?

The thing I was wondering about was if we find say a weak password against the default ms-sql "sa" account, for arguments sake, could that weak password associated with sa potentially grant an outsider access to an application from the web. Say the password for the sa account is "password" and as users credentials are hashed in the same table, if someone tried to login to the app with user "sa" password "password" could it potentially allow them access to the application, or will their likely be something in the hash table against the sa account that stops it for application login, its just for database admin/management etc?
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 4

Accepted Solution

by:
Amgad_Consulting_Co earned 1000 total points
ID: 35058217
Hi,

1. "are the users passwords typically hashed in the same table as those where you get the default sql accounts password hash like sa."  No
2. you have to get the password hash, and then select the saved pwd in your Db "hashed" and compare between them.
3. if someone knows your pwd and can get into database, he can easily reset the users pwd to a known pwd for him.

A helpful tool for page authentication is here: http://netsqlazman.codeplex.com/
0
 
LVL 3

Author Comment

by:pma111
ID: 35058598
thats odd, as we have another small application, intranet thought not web based, and I ran a select * from syslogins and it returned sa plus a heap of other sql authentication accounts. on closer inspection these did appear to be application user accounts, i cant verify the passwords but people were logging into the application using the usernames that were in syslogins so I assume in some cases users passwords are hashed in the same table as is for accts like sa
0
 
LVL 4

Expert Comment

by:Amgad_Consulting_Co
ID: 35058700
yes, the syslogins database contains all SQL accounts, but it is not the same as application logins!!

you can try a small test, create a new application user, and see if it is added to the syslogins DB or not.
0
Understanding Web Applications

Without even knowing it, most of us are using web applications on a daily basis. Gmail and Yahoo email, Twitter, Facebook, and eBay are used by most of us daily—and they are web applications. We often confuse these web applications tools for websites.  So, what is the difference?

 
LVL 3

Author Comment

by:pma111
ID: 35059283
on the intranet app yes it was added....

where are they normally stored, a custom built table?
0
 
LVL 4

Expert Comment

by:Amgad_Consulting_Co
ID: 35060010
yes, you may find a table named "users" or so.
0
 
LVL 3

Author Comment

by:pma111
ID: 35067123
Will it use the same hashing algorithm as it does for sql authentication passwords? The last we'd want is for users passwords to be stored in the database plain text
0
 
LVL 4

Expert Comment

by:Amgad_Consulting_Co
ID: 35067485
this depends on how you develop the application, or what you use for managing your users, nothing related to the database itself.
0
 
LVL 3

Author Comment

by:pma111
ID: 35068395
ok.... back to the other point.

When the app user enters his username and password and clicks "login" or whatever, can you give me a sample query the click will initiate in the database. I know it may depend, b ut just an example would help me better understand how the process works, no links, just an example please.
0
 
LVL 4

Expert Comment

by:Amgad_Consulting_Co
ID: 35068963
I guess it might be like that 'using a stored procedure ' or some thing similar if you are sending query from you application.

IF(exists(Select *
               from users
               where Username= <USERNAME>
               and PASSWORD = <HASHED_PASSWORD>))
        return 1;
else
      return 0;
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In part one, we reviewed the prerequisites required for installing SQL Server vNext. In this part we will explore how to install Microsoft's SQL Server on Ubuntu 16.04.
When trying to connect from SSMS v17.x to a SQL Server Integration Services 2016 instance or previous version, you get the error “Connecting to the Integration Services service on the computer failed with the following error: 'The specified service …
Via a live example, show how to set up a backup for SQL Server using a Maintenance Plan and how to schedule the job into SQL Server Agent.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question