How to recover a SQL Server login password.

  • Comments posted to this topic are about the item How to recover a SQL Server login password.

  • Nice. Knew there must be a tool to do this

    I can see my pcs graphics card will be busy this afternoon to see how long it takes to break my pass


    Wayne

    Did you get access denied? Great the security works.

  • Hi,

    in my system

    select name, password_hash

    from sys.sql_logins

    returns null for password_hash for simple users.

    so what permissions is required?

    Carmelo

  • Very useful article, but I can't help but wonder if this was just an excuse to show off that you have a 7970 clocked at 1010MHz!

    I read some time ago that very long but easy to remember pass-phrases like peanutbutterandjellysandwiches actually take a password cracker longer to answer than supposedly safe passwords like for example Z34d*&1a.

    Alas I don't have access/permission to play with this tool at work - any chance you could run up a benchmark/test or comment on a long pass-phrase like this?

    I wonder if this technology supports crossfireX ... 😀

    Ben

    ^ Thats me!

    ----------------------------------------
    01010111011010000110000101110100 01100001 0110001101101111011011010111000001101100011001010111010001100101 01110100011010010110110101100101 011101110110000101110011011101000110010101110010
    ----------------------------------------

  • slightly off topic: For the likes of windows passwords back in the 2000/2003 server days, it looked to the lay person (me) that, only stored the first 8 characters were encrypted in the SAM (no idea what 2008/2012 does) The remaining characters were readable (with a tool like l0pht), so to use Bens example, it would show as

    ********tterandjellysandwiches

    pre any bruteforce decryption. A human could probably figure out the missing words, or at least know not to bother with numbers, uppercase or symbols for the brute force crack.

    Maybe using long alphanumeric + symbols passwords is the way forward again to make the delay too long for the brute force method to find the password i.e. before the important passwords get changed

    Must investigate to prove this one way or another to myself! 🙂


    Wayne

    Did you get access denied? Great the security works.

  • BenWard (3/4/2013)


    Very useful article, but I can't help but wonder if this was just an excuse to show off that you have a 7970 clocked at 1010MHz!

    I read some time ago that very long but easy to remember pass-phrases like peanutbutterandjellysandwiches actually take a password cracker longer to answer than supposedly safe passwords like for example Z34d*&1a.

    Alas I don't have access/permission to play with this tool at work - any chance you could run up a benchmark/test or comment on a long pass-phrase like this?

    I wonder if this technology supports crossfireX ... 😀

    crossfire is supported. so is SLI if you use NVIDIA.

    i am not bragging. if i were i would tell you I actually have an HP workstation with 2 XEON procs and crossfired 7970's

    your 30 character password is stronger than your 10 character password.

    you have to use the CPU version of hashcat to crack 30 characters and with 16 cores it would still take over 100 years! I suppose if you have a rack of Cisco UCS's at your dispossal, you could get that down to a handful of days.....

  • excellent - thanks for the info.

    I've decided to do some maths.

    If you used a dictionary based brute force it might feasibly take less time I suppose depending on how many words were in your dictionary.

    The Oxford English dictionary has ~ 220,000 words plus they estimate more than 8000 additional words are in use.

    the number of possible combinations on a 5 word pass-phrase like peanut butter and jelly sandwiches would be 228000^5 or:

    616132666368000000000000000

    for a letter-by-letter brute force attack you'd be looking at 26^30 or:

    ~281319890128474591925862102961600000000000

    an 8-character 'secure' password has roughly 80 different characters you might expect to see used 80^8:

    1677721600000000

    so a dictionary attack is dramatically quicker on the passphrase than character by character but is easilly scuppered by throwing the number 5 into the middle of a word, using a French word etc. Even with the dictionary attack it is still hugely more effective than the regular 8 character model in use by most places.

    Fun times.

    Ben

    ^ Thats me!

    ----------------------------------------
    01010111011010000110000101110100 01100001 0110001101101111011011010111000001101100011001010111010001100101 01110100011010010110110101100101 011101110110000101110011011101000110010101110010
    ----------------------------------------

  • Scary and unsettling.

    More reason to ensure access to master db is restricted (backups too!)

    Long live long passwords:-D

    Cheers,

    JohnA

    MCM: SQL2008

  • Wayne Evans-440401 (3/4/2013)


    slightly off topic: For the likes of windows passwords back in the 2000/2003 server days, it looked to the lay person (me) that, only stored the first 8 characters were encrypted in the SAM (no idea what 2008/2012 does) The remaining characters were readable (with a tool like l0pht), so to use Bens example, it would show as

    ********tterandjellysandwiches

    It didn't quite work that way. The old LAN Manager password system that was used prior to Kerberos authentication split the password into two 7-character chunks and encrypted them separately--it was thus possible for a password cracker to deal with each half individually and work much faster. It also wasn't case sensitive, massively reducing the possible list of passwords any cracker needed to check. Note that Windows 2000 and 2003 would still generate a LAN Manager hash for any passwords shorter than 15 characters in order to maintain backward compatibility with older versions of Windows that didn't recognise Kerberos.

    The password specified above would be too long to get an LM hash on Windows 2k/2k3, so you'd only have a problem if you were trying to use it on a pre-Active Directory domain. It would get split into PEANUTB and UTTERAN, and since both of those are simple dictionary words with one or two letters attached, would be crackable extremely easily.

  • Wow! Awesome article, Geoff! This is spooky stuff. I knew that passwords mostly kept the honest man honest because there's lots of ways to crack them especially with the power built into some of these bloody video cards. I just had no idea how fast they really were. Thank you for the time you spent on this article. It's going to help me a lot.

    --Jeff Moden


    RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
    First step towards the paradigm shift of writing Set Based code:
    ________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.

    Change is inevitable... Change for the better is not.


    Helpful Links:
    How to post code problems
    How to Post Performance Problems
    Create a Tally Function (fnTally)

  • Jeff Moden (3/4/2013)


    It's going to help me a lot.

    Sounds ominous :w00t:

    MM



    select geometry::STGeomFromWKB(0x0106000000020000000103000000010000000B0000001000000000000840000000000000003DD8CCCCCCCCCC0840000000000000003DD8CCCCCCCCCC08408014AE47E17AFC3F040000000000104000CDCCCCCCCCEC3F9C999999999913408014AE47E17AFC3F9C99999999991340000000000000003D0000000000001440000000000000003D000000000000144000000000000000400400000000001040000000000000F03F100000000000084000000000000000401000000000000840000000000000003D0103000000010000000B000000000000000000143D000000000000003D009E99999999B93F000000000000003D009E99999999B93F8014AE47E17AFC3F400000000000F03F00CDCCCCCCCCEC3FA06666666666FE3F8014AE47E17AFC3FA06666666666FE3F000000000000003D1800000000000040000000000000003D18000000000000400000000000000040400000000000F03F000000000000F03F000000000000143D0000000000000040000000000000143D000000000000003D, 0);

  • Forum Etiquette: How to post Reporting Services problems
  • [/url]
  • Forum Etiquette: How to post data/code on a forum to get the best help - by Jeff Moden
  • [/url]
  • How to Post Performance Problems - by Gail Shaw
  • [/url]

  • I'm with Jeff. This is very cool stuff butvery ominous, too. I do have a SQL utility user pwd that I've lost, so this will be useful. On the other hand I don't want anybody else to know this. It's like the One Ring of Power, it's already making me think of all the malicious acts I could do with this power. ("My precious, my precious.")

    Actually, I've pretty much given up on passwords protecting me. One day and not too long from now, we'll all have implanted RF chips like doggie-lojacks that will identify us and let us use the atm, buy groceries, login to Amazon, etc.

    Sigerson

    "No pressure, no diamonds." - Thomas Carlyle

  • Sigerson (3/4/2013)


    we'll all have implanted RF chips

    Until some quack attempting to make a quick buck publishes a dubious medical report based on 3 test patients who just so happen to work in a nuclear power station linking RF implants to some disease that everyone is afraid of.

    I'm not cynical at all!

    Even that isn't fool proof, pickpocketers will start bumping into you with RF scanners and instead of just nabbing your wallet, will steal your identity, your car, you house and probably your wife and kids too.

    Ben

    ^ Thats me!

    ----------------------------------------
    01010111011010000110000101110100 01100001 0110001101101111011011010111000001101100011001010111010001100101 01110100011010010110110101100101 011101110110000101110011011101000110010101110010
    ----------------------------------------

  • Sigerson (3/4/2013)On the other hand I don't want anybody else to know this. It's like the One Ring of Power, it's already making me think of all the malicious acts I could do with this power.

    Use longer passwords and it ceases to be an issue. Yes, he was able to find a 5-character password in 2 seconds using a brute force search with a powerful GPU, but the complexity of such a search increases massively with the number of characters--a guesstimate would suggest that if it takes 2 seconds to find a 5-character password, it will take approximately 23 days to find an 8-character password using the same mechanism! (This is assuming perhaps 100 possible characters used in the password, which would give the 8-character one a million times more possibilities than the 5-character one).

    If you had a 20-character password, well, it would probably take longer than the remaining life of the Universe to crack it!

  • Geoff,

    Please be very careful about suggesting or even implying that people should do this on production SQL Servers. I work for the government and the auditors are looking for this kind of stuff on your PC and if they find it, you are probably gone!!! I repeat: DO NOT KEEP THESE FILES ON YOUR WORK LAPTOP IF YOU WORK FOR THE GOVERNMENT, OR YOU ARE A GOVERNMENT CONTRACTOR!!!! You can not only be fired you can also be fined and/or prosecuted.:-D

    "Technology is a weird thing. It brings you great gifts with one hand, and it stabs you in the back with the other. ...:-D"

  • Viewing 15 posts - 1 through 15 (of 59 total)

    You must be logged in to reply to this topic. Login to reply