Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase 12345»»»

How to recover a SQL Server login password. Expand / Collapse
Author
Message
Posted Sunday, March 3, 2013 5:18 PM


Mr or Mrs. 500

Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500

Group: General Forum Members
Last Login: Yesterday @ 4:41 AM
Points: 515, Visits: 1,743
Comments posted to this topic are about the item How to recover a SQL Server login password.
Post #1426046
Posted Monday, March 4, 2013 1:25 AM
SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Friday, December 12, 2014 7:00 AM
Points: 118, Visits: 246
Nice. Knew there must be a tool to do this

I can see my pcs graphics card will be busy this afternoon to see how long it takes to break my pass




Wayne

Did you get access denied? Great the security works.

Post #1426114
Posted Monday, March 4, 2013 2:49 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Tuesday, November 18, 2014 6:59 AM
Points: 1, Visits: 55
Hi,

in my system

select name, password_hash
from sys.sql_logins

returns null for password_hash for simple users.
so what permissions is required?

Carmelo
Post #1426141
Posted Monday, March 4, 2013 4:22 AM


Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: 2 days ago @ 8:54 AM
Points: 382, Visits: 700
Very useful article, but I can't help but wonder if this was just an excuse to show off that you have a 7970 clocked at 1010MHz!

I read some time ago that very long but easy to remember pass-phrases like peanutbutterandjellysandwiches actually take a password cracker longer to answer than supposedly safe passwords like for example Z34d*&1a.

Alas I don't have access/permission to play with this tool at work - any chance you could run up a benchmark/test or comment on a long pass-phrase like this?

I wonder if this technology supports crossfireX ... :D


Ben

^ Thats me!


----------------------------------------
01010111011010000110000101110100 01100001 0110001101101111011011010111000001101100011001010111010001100101 01110100011010010110110101100101 011101110110000101110011011101000110010101110010
----------------------------------------
Post #1426173
Posted Monday, March 4, 2013 4:44 AM
SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Friday, December 12, 2014 7:00 AM
Points: 118, Visits: 246
slightly off topic: For the likes of windows passwords back in the 2000/2003 server days, it looked to the lay person (me) that, only stored the first 8 characters were encrypted in the SAM (no idea what 2008/2012 does) The remaining characters were readable (with a tool like l0pht), so to use Bens example, it would show as

********tterandjellysandwiches

pre any bruteforce decryption. A human could probably figure out the missing words, or at least know not to bother with numbers, uppercase or symbols for the brute force crack.

Maybe using long alphanumeric + symbols passwords is the way forward again to make the delay too long for the brute force method to find the password i.e. before the important passwords get changed

Must investigate to prove this one way or another to myself! :)




Wayne

Did you get access denied? Great the security works.

Post #1426180
Posted Monday, March 4, 2013 5:25 AM


Mr or Mrs. 500

Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500

Group: General Forum Members
Last Login: Yesterday @ 4:41 AM
Points: 515, Visits: 1,743
BenWard (3/4/2013)
Very useful article, but I can't help but wonder if this was just an excuse to show off that you have a 7970 clocked at 1010MHz!

I read some time ago that very long but easy to remember pass-phrases like peanutbutterandjellysandwiches actually take a password cracker longer to answer than supposedly safe passwords like for example Z34d*&1a.

Alas I don't have access/permission to play with this tool at work - any chance you could run up a benchmark/test or comment on a long pass-phrase like this?

I wonder if this technology supports crossfireX ... :D


crossfire is supported. so is SLI if you use NVIDIA.
i am not bragging. if i were i would tell you I actually have an HP workstation with 2 XEON procs and crossfired 7970's
your 30 character password is stronger than your 10 character password.

you have to use the CPU version of hashcat to crack 30 characters and with 16 cores it would still take over 100 years! I suppose if you have a rack of Cisco UCS's at your dispossal, you could get that down to a handful of days.....
Post #1426191
Posted Monday, March 4, 2013 5:41 AM


Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: 2 days ago @ 8:54 AM
Points: 382, Visits: 700
excellent - thanks for the info.

I've decided to do some maths.

If you used a dictionary based brute force it might feasibly take less time I suppose depending on how many words were in your dictionary.

The Oxford English dictionary has ~ 220,000 words plus they estimate more than 8000 additional words are in use.

the number of possible combinations on a 5 word pass-phrase like peanut butter and jelly sandwiches would be 228000^5 or:
616132666368000000000000000

for a letter-by-letter brute force attack you'd be looking at 26^30 or:
~281319890128474591925862102961600000000000

an 8-character 'secure' password has roughly 80 different characters you might expect to see used 80^8:
1677721600000000


so a dictionary attack is dramatically quicker on the passphrase than character by character but is easilly scuppered by throwing the number 5 into the middle of a word, using a French word etc. Even with the dictionary attack it is still hugely more effective than the regular 8 character model in use by most places.


Fun times.


Ben

^ Thats me!


----------------------------------------
01010111011010000110000101110100 01100001 0110001101101111011011010111000001101100011001010111010001100101 01110100011010010110110101100101 011101110110000101110011011101000110010101110010
----------------------------------------
Post #1426198
Posted Monday, March 4, 2013 5:48 AM
SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Thursday, April 17, 2014 1:41 AM
Points: 170, Visits: 1,400
Scary and unsettling.

More reason to ensure access to master db is restricted (backups too!)

Long live long passwords


Cheers,

JohnA

MCM: SQL2008
Post #1426199
Posted Monday, March 4, 2013 6:19 AM
SSCommitted

SSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommitted

Group: General Forum Members
Last Login: Friday, December 12, 2014 3:32 AM
Points: 1,639, Visits: 5,721
Wayne Evans-440401 (3/4/2013)
slightly off topic: For the likes of windows passwords back in the 2000/2003 server days, it looked to the lay person (me) that, only stored the first 8 characters were encrypted in the SAM (no idea what 2008/2012 does) The remaining characters were readable (with a tool like l0pht), so to use Bens example, it would show as

********tterandjellysandwiches


It didn't quite work that way. The old LAN Manager password system that was used prior to Kerberos authentication split the password into two 7-character chunks and encrypted them separately--it was thus possible for a password cracker to deal with each half individually and work much faster. It also wasn't case sensitive, massively reducing the possible list of passwords any cracker needed to check. Note that Windows 2000 and 2003 would still generate a LAN Manager hash for any passwords shorter than 15 characters in order to maintain backward compatibility with older versions of Windows that didn't recognise Kerberos.

The password specified above would be too long to get an LM hash on Windows 2k/2k3, so you'd only have a problem if you were trying to use it on a pre-Active Directory domain. It would get split into PEANUTB and UTTERAN, and since both of those are simple dictionary words with one or two letters attached, would be crackable extremely easily.
Post #1426206
Posted Monday, March 4, 2013 8:10 AM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: General Forum Members
Last Login: Today @ 8:12 AM
Points: 35,770, Visits: 32,434
Wow! Awesome article, Geoff! This is spooky stuff. I knew that passwords mostly kept the honest man honest because there's lots of ways to crack them especially with the power built into some of these bloody video cards. I just had no idea how fast they really were. Thank you for the time you spent on this article. It's going to help me a lot.

--Jeff Moden
"RBAR is pronounced "ree-bar" and is a "Modenism" for "Row-By-Agonizing-Row".

First step towards the paradigm shift of writing Set Based code:
Stop thinking about what you want to do to a row... think, instead, of what you want to do to a column."

(play on words) "Just because you CAN do something in T-SQL, doesn't mean you SHOULDN'T." --22 Aug 2013

Helpful Links:
How to post code problems
How to post performance problems
Post #1426265
« Prev Topic | Next Topic »

Add to briefcase 12345»»»

Permissions Expand / Collapse