The system table sys.sql_logins contains a column called [password_hash] and sys.sysoledbusers contains a column called [rmtpassword], which should be a hash of the password, but for security reasons SQL Server returns it as NULL.

http://technet.microsoft.com/en-us/library/ms190496(v=sql.105).aspx

http://technet.microsoft.com/en-us/library/ms188018(v=sql.105).aspx

However, using the function pwdcompare() it is possible to perform a "dictionary attack" on the hash to deduce the password. For example:

declare @PW table (pwtext varchar(180) not null primary key);

insert into @PW (pwtext)

values ('password'), ('123456'), ('12345678'), ('1234'), ('qwerty'), ('12345');

select name, type_desc, create_date, modify_date, password_hash

from sys.sql_logins l

join @PW pw on pwdcompare(pw.pwtext, l.password_hash) = 1;

You actually must be a SYSADMIN level user in the first place to perform the above queries. It's probably more practical to reset the password on the remote account.

This is why you don't want any database users, except the DBA, to have membership in SYSADMIN role. The ability to query system tables like this presents security issues.