Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase ««12345»»»

How to recover a SQL Server login password. Expand / Collapse
Author
Message
Posted Monday, March 4, 2013 8:17 AM


SSCommitted

SSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommitted

Group: General Forum Members
Last Login: Yesterday @ 5:32 PM
Points: 1,796, Visits: 5,801
Jeff Moden (3/4/2013)
It's going to help me a lot.


Sounds ominous


MM


  • MMGrid Addin
  • MMNose Addin


  • Forum Etiquette: How to post Reporting Services problems
  • Forum Etiquette: How to post data/code on a forum to get the best help - by Jeff Moden
  • How to Post Performance Problems - by Gail Shaw

  • Post #1426270
    Posted Monday, March 4, 2013 9:09 AM


    SSC Veteran

    SSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC Veteran

    Group: General Forum Members
    Last Login: Wednesday, October 22, 2014 7:07 AM
    Points: 271, Visits: 822
    I'm with Jeff. This is very cool stuff butvery ominous, too. I do have a SQL utility user pwd that I've lost, so this will be useful. On the other hand I don't want anybody else to know this. It's like the One Ring of Power, it's already making me think of all the malicious acts I could do with this power. ("My precious, my precious.")

    Actually, I've pretty much given up on passwords protecting me. One day and not too long from now, we'll all have implanted RF chips like doggie-lojacks that will identify us and let us use the atm, buy groceries, login to Amazon, etc.


    Sigerson

    "No pressure, no diamonds." - Thomas Carlyle
    Post #1426303
    Posted Monday, March 4, 2013 9:16 AM


    Old Hand

    Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

    Group: General Forum Members
    Last Login: Wednesday, October 22, 2014 3:38 AM
    Points: 379, Visits: 690
    Sigerson (3/4/2013)
    we'll all have implanted RF chips


    Until some quack attempting to make a quick buck publishes a dubious medical report based on 3 test patients who just so happen to work in a nuclear power station linking RF implants to some disease that everyone is afraid of.

    I'm not cynical at all!

    Even that isn't fool proof, pickpocketers will start bumping into you with RF scanners and instead of just nabbing your wallet, will steal your identity, your car, you house and probably your wife and kids too.


    Ben

    ^ Thats me!


    ----------------------------------------
    01010111011010000110000101110100 01100001 0110001101101111011011010111000001101100011001010111010001100101 01110100011010010110110101100101 011101110110000101110011011101000110010101110010
    ----------------------------------------
    Post #1426312
    Posted Monday, March 4, 2013 9:19 AM
    SSCommitted

    SSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommitted

    Group: General Forum Members
    Last Login: Yesterday @ 2:14 AM
    Points: 1,605, Visits: 5,657
    Sigerson (3/4/2013)On the other hand I don't want anybody else to know this. It's like the One Ring of Power, it's already making me think of all the malicious acts I could do with this power.


    Use longer passwords and it ceases to be an issue. Yes, he was able to find a 5-character password in 2 seconds using a brute force search with a powerful GPU, but the complexity of such a search increases massively with the number of characters--a guesstimate would suggest that if it takes 2 seconds to find a 5-character password, it will take approximately 23 days to find an 8-character password using the same mechanism! (This is assuming perhaps 100 possible characters used in the password, which would give the 8-character one a million times more possibilities than the 5-character one).

    If you had a 20-character password, well, it would probably take longer than the remaining life of the Universe to crack it!
    Post #1426313
    Posted Monday, March 4, 2013 9:27 AM


    Ten Centuries

    Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

    Group: General Forum Members
    Last Login: Tuesday, September 16, 2014 2:03 PM
    Points: 1,334, Visits: 3,069
    Geoff,

    Please be very careful about suggesting or even implying that people should do this on production SQL Servers. I work for the government and the auditors are looking for this kind of stuff on your PC and if they find it, you are probably gone!!! I repeat: DO NOT KEEP THESE FILES ON YOUR WORK LAPTOP IF YOU WORK FOR THE GOVERNMENT, OR YOU ARE A GOVERNMENT CONTRACTOR!!!! You can not only be fired you can also be fined and/or prosecuted.


    "Technology is a weird thing. It brings you great gifts with one hand, and it stabs you in the back with the other. ..."
    Post #1426318
    Posted Monday, March 4, 2013 9:30 AM
    Ten Centuries

    Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

    Group: General Forum Members
    Last Login: Thursday, April 17, 2014 4:56 AM
    Points: 1,002, Visits: 884
    TravisDBA (3/4/2013)
    Be very careful about suggesting that people do this. i work for the government and the auditors are looking for this kind of stuff on your PC and if they find it, you are probably gone!!! I repeat: DO NOT KEEP THESE FILES ON YOUR WORK LAPTOP IF YOU WORK FOR THE GOVERNMENT, OR YOU ARE A GOVERNMENT CONTRACTOR!!!! You can not only be fired you can also be prosecuted.



    I don't work for the government, but I don't see a problem with the sa having this on his system (developers are another story). After all, as sa I can change your password at will and I have access to all unencrypted data.


    /* ----------------------------- */
    Tochter aus Elysium, Wir betreten feuertrunken, Himmlische, dein Heiligtum!

    Post #1426322
    Posted Monday, March 4, 2013 9:34 AM


    Ten Centuries

    Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

    Group: General Forum Members
    Last Login: Tuesday, September 16, 2014 2:03 PM
    Points: 1,334, Visits: 3,069
    paul.knibbs (3/4/2013)
    Sigerson (3/4/2013)On the other hand I don't want anybody else to know this. It's like the One Ring of Power, it's already making me think of all the malicious acts I could do with this power.


    Use longer passwords and it ceases to be an issue. Yes, he was able to find a 5-character password in 2 seconds using a brute force search with a powerful GPU, but the complexity of such a search increases massively with the number of characters--a guesstimate would suggest that if it takes 2 seconds to find a 5-character password, it will take approximately 23 days to find an 8-character password using the same mechanism! (This is assuming perhaps 100 possible characters used in the password, which would give the 8-character one a million times more possibilities than the 5-character one).

    If you had a 20-character password, well, it would probably take longer than the remaining life of the Universe to crack it!


    Greg,

    The government auditors don't care who you are or what level of access you have in your brain. If the files are PHYSICALLY on the government work laptop then it is vulnerable to attack and you are ultimately liable. Particularly, if this software can be used to crack SQL logins that have access to HIPPA Health related data.


    "Technology is a weird thing. It brings you great gifts with one hand, and it stabs you in the back with the other. ..."
    Post #1426323
    Posted Monday, March 4, 2013 10:10 AM
    SSC Eights!

    SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

    Group: General Forum Members
    Last Login: 2 days ago @ 11:56 AM
    Points: 880, Visits: 2,435
    Excellent post on brute forcing using oclhashcat-lite - everyone, please be aware that dictionary and rules-based dictionary attacks are also available in GPU-powered form with these excellent tools.

    For everyone worried about their passwords, note that SQL Server itself dues support a maximum of 128 characters, and high ASCII is allowed, so if you absolutely must have the "sa" account or a similar SQL Server sysadmin level account available, then a password like

    Éá«zpÙYÆÉlêÙRoPõ3wC3Ó)~=5ûÈælZOcLÛہ¼{ÖÅw™úG54)uQçeÂ?n¾KaôÅAÔÓ½Ò5år³\5ÞÑ=l¾[ÑæQ}ÞZPÐAþ+xhR߬fó1ßfG{ñBÉÜšn‡ƒeji—ÜQ¾væ—ŸTBËŠÍÔ—xÂ

    is perfectly acceptable, and can be cut and pasted into SSMS without any problems.

    As far as longer word-based passwords, something like
    Madeline12152008 is a horrible password, especially if your daughter Madeline was born on December 15th in 2008.

    ETA: Software like KeePass can be used to generate (and store) such passwords.
    Post #1426347
    Posted Monday, March 4, 2013 10:13 AM


    Mr or Mrs. 500

    Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500

    Group: General Forum Members
    Last Login: Tuesday, October 7, 2014 6:08 AM
    Points: 514, Visits: 1,735
    TravisDBA (3/4/2013)
    Geoff,

    Please be Be very careful about suggesting or even implying that people should do this on productiohn SQL Servers. i work for the government and the auditors are looking for this kind of stuff on your PC and if they find it, you are probably gone!!! I repeat: DO NOT KEEP THESE FILES ON YOUR WORK LAPTOP IF YOU WORK FOR THE GOVERNMENT, OR YOU ARE A GOVERNMENT CONTRACTOR!!!! You can not only be fired you can also be prosecuted.


    Travis,
    i am not sure how i am resposible for goverment employees and their activities on their laptops.
    but if you saying i should be on the look out for black suits knocking on my door, I'll keep one eye open
    Post #1426352
    Posted Monday, March 4, 2013 10:56 AM


    Ten Centuries

    Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

    Group: General Forum Members
    Last Login: Tuesday, September 16, 2014 2:03 PM
    Points: 1,334, Visits: 3,069
    Geoff A (3/4/2013)
    TravisDBA (3/4/2013)
    Geoff,

    Please be Be very careful about suggesting or even implying that people should do this on productiohn SQL Servers. i work for the government and the auditors are looking for this kind of stuff on your PC and if they find it, you are probably gone!!! I repeat: DO NOT KEEP THESE FILES ON YOUR WORK LAPTOP IF YOU WORK FOR THE GOVERNMENT, OR YOU ARE A GOVERNMENT CONTRACTOR!!!! You can not only be fired you can also be prosecuted.


    Travis,
    i am not sure how i am resposible for goverment employees and their activities on their laptops.
    but if you saying i should be on the look out for black suits knocking on my door, I'll keep one eye open


    Ok, no problem, just be careful suggesting that kind of thing to the public at large. Not everyone means well in this world. That is all I'm saying. I could see someone sitting in court and explaining "Well your honor, Geoff Albin showed me how to hack a SQL Login production password on SQLServerCentral.com!!!"


    "Technology is a weird thing. It brings you great gifts with one hand, and it stabs you in the back with the other. ..."
    Post #1426372
    « Prev Topic | Next Topic »

    Add to briefcase ««12345»»»

    Permissions Expand / Collapse