Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

Can it be possible SQL Login creation with an empty password Expand / Collapse
Author
Message
Posted Wednesday, July 24, 2013 2:04 AM
SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Tuesday, January 21, 2014 8:11 AM
Points: 103, Visits: 398
Hi

I would like to know that, Is that possible to create SQL Login with blank password in SQL Server...

Please advise !!!
Post #1476911
Posted Wednesday, July 24, 2013 2:51 AM


SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Today @ 7:59 AM
Points: 2,078, Visits: 2,410
Yes, it's possible. But is is a real security risk and never -ever- recommended. Are you really sure you can not define a password?

This is how you do it:
1.) In the GUI don't enter a password and clear the checkbox "enforce password policy".
or
2.) With T-SQL:
CREATE LOGIN [login_name] WITH PASSWORD=N'', DEFAULT_DATABASE=[database_name], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF



** Don't mistake the ‘stupidity of the crowd’ for the ‘wisdom of the group’! **
Post #1476930
Posted Wednesday, July 24, 2013 7:49 AM
SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Tuesday, January 21, 2014 8:11 AM
Points: 103, Visits: 398
Thanks all you guys for responding,but I believe in the older version of SQL Server (200 and below) can only possible.... am i correct ? and for SQL 2005 onwards this has been changed and will not allow to have blank password. Please correct me if any information on this...


Great Persons ...Good Involvement
Post #1477068
Posted Wednesday, July 24, 2013 8:04 AM


SSChampion

SSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampion

Group: General Forum Members
Last Login: Today @ 3:31 PM
Points: 11,949, Visits: 10,982
mohan.bndr (7/24/2013)
Thanks all you guys for responding,but I believe in the older version of SQL Server (200 and below) can only possible.... am i correct ? and for SQL 2005 onwards this has been changed and will not allow to have blank password. Please correct me if any information on this...


Great Persons ...Good Involvement


Did you try it? The code posted will generate a login with a blank password.


_______________________________________________________________

Need help? Help us help you.

Read the article at http://www.sqlservercentral.com/articles/Best+Practices/61537/ for best practices on asking questions.

Need to split a string? Try Jeff Moden's splitter.

Cross Tabs and Pivots, Part 1 – Converting Rows to Columns
Cross Tabs and Pivots, Part 2 - Dynamic Cross Tabs
Understanding and Using APPLY (Part 1)
Understanding and Using APPLY (Part 2)
Post #1477077
Posted Thursday, July 25, 2013 12:44 PM


UDP Broadcaster

UDP BroadcasterUDP BroadcasterUDP BroadcasterUDP BroadcasterUDP BroadcasterUDP BroadcasterUDP BroadcasterUDP Broadcaster

Group: General Forum Members
Last Login: Today @ 11:01 AM
Points: 1,468, Visits: 4,267
mohan.bndr (7/24/2013)
Thanks all you guys for responding,but I believe in the older version of SQL Server (200 and below) can only possible.... am i correct ? and for SQL 2005 onwards this has been changed and will not allow to have blank password. Please correct me if any information on this...

Yes, it is technically possible to have a SQL Server account with blank password, I saw this the other day on a SQL Server 2008 R2 instance. Perhaps it was an artifact left over from a 2000 -> 2005/2008 migration, but it was there.

For identifying weak SQL Server accounts, I use the following:

-- There are several frequently used password lists posted on the web. 
-- Here are a few, but perhaps 100 or more could be inserted here.
declare @pw table (pwtext varchar(180) not null primary key);
insert into @pw (pwtext)
values ('password'), ('123456'), ('12345678'), ('1234'), ('qwerty'), ('12345');
select name, type_desc, create_date, modify_date, password_hash
from sys.sql_logins l
join @pw pw on pwdcompare(pw.pwtext, l.password_hash) = 1;

-- Query accounts with empty password:
select name, type_desc, create_date, modify_date, password_hash
from sys.sql_logins
where pwdcompare('', password_hash) = 1;

-- Query accounts where password = account name:
select name, type_desc, create_date, modify_date, password_hash
from sys.sql_logins
where pwdcompare(name, password_hash) = 1;




"Winter Is Coming" - April 6, 2014
Post #1477676
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse