One problem with that password generator - you only allow 17 total characters (0-9, A-F, hypen) which makes hacking it much simpler than if you allowed 63 or more characters (A-Z, a-z, 0-9, hyphen). Just as a simple example, a brute force attack on a 4-character password with only 17 allowable characters would take (at maximum), 83,521 attempts. A brute force attack on a 4-character password with 63 allowable characters requires a maximum of 15,752,961 attempts. Bute forcing a 4-character password that uses all standard keyboard-accessible printable characters (95 total) requires 81,450,625 max. attempts.
Here's a simple password generator that takes your idea of using NEWID(), but generates significantly stronger passwords with any printable/keyboard accessible characters from SPACE (0x20) to tilde (0x7e). This may have to be modified to eliminate certain characters if you want or need to exclude them:
/*-- Requires a numbers table like thisSELECT TOP 500 Num = IDENTITY(INT, 1, 1)INTO dbo.NumbersFROM syscolumns s1CROSS JOIN syscolumns s2
ALTER TABLE dbo.NumbersADD CONSTRAINT PK_NumbersPRIMARY KEY (Num)*/
-- Set this to the max length for the password to generateDECLARE @pwd_length INTSELECT @pwd_length = 255
-- Initialize variables, varbinary work password and varchar final pwdDECLARE @work_pwd VARBINARY(256)SET @work_pwd = CAST('' AS VARBINARY(256))DECLARE @pwd VARCHAR(256)SET @pwd = ''
-- Use NEWID() to generate somewhat "random" string of bytesWHILE (DATALENGTH(@work_pwd) < @pwd_length) SET @work_pwd = @work_pwd + CAST(NEWID() AS VARBINARY(16))
-- Limit it to the length defined by @pwd_lengthSET @work_pwd = SUBSTRING(@work_pwd, 1, @pwd_length)
-- Put it in a tableCREATE TABLE #PwdChars (Num INT PRIMARY KEY NOT NULL, i INT, PwdChar INT)
-- We need to account for non-printable and special characters here. We only want-- keyboard accessible characters; basically SPACE (0x20) to tilde (0x7e).INSERT INTO #PwdChars (Num, i, PwdChar)SELECT n.Num, CAST(SUBSTRING(@work_pwd, n.Num, 1) AS INT), CASE WHEN CAST(SUBSTRING(@work_pwd, n.Num, 1) AS INT) < 32 THEN CAST(SUBSTRING(@work_pwd, n.Num, 1) AS INT) + 32 WHEN CAST(SUBSTRING(@work_pwd, n.Num, 1) AS INT) > 254 THEN 126 WHEN CAST(SUBSTRING(@work_pwd, n.Num, 1) AS INT) > 126 THEN CAST(SUBSTRING(@work_pwd, n.Num, 1) AS INT) / 2 ELSE CAST(SUBSTRING(@work_pwd, n.Num, 1) AS INT) ENDFROM dbo.Numbers nWHERE n.Num > 0 AND n.Num <= DATALENGTH(@work_pwd)
-- Now loop through and build the character passwordWHILE @pwd_length > 0BEGIN SET @pwd = @pwd + CHAR( (SELECT PwdChar FROM #PwdChars WHERE Num = @pwd_length)) SET @pwd_length = @pwd_length - 1END
-- Clean upDROP TABLE #PwdChars
-- Display itSELECT @pwd
Great discussion.
I like the password generators. The easier you can make it to get a long/strong password, the more likely people are to use them.
Vendor applications that require elevated privileges (or even use a hard-codes sa account and password) can be a thorny issue. We don't want them on our servers, but the business wants them so they can remain competitive. To accomodate both sides, I try to segregate vendor application databases on their own instance to keep them away from corporate data, when possible.
Don't forget to have the SQL Service for the "vendor" instance run under a different domain account than your "corporate" SQL Servers so the vendor instance won't have access to any valuable permissions on your corporate instance.
To calculate the maximum attempts it would take to crack a password. You need to take the number of allowable character values and raise that value by the number of populated positions in the password. This calculation only works if each position in the password allows the same number of character values. Ahh its to early for this math.
Examples:
For an online calculator go to http://www.motionnet.com/calculator/
Now if you are wondering how long it will take to crawk a password, I will need to refer you to a site that tries to estimate it
http://www.lockdown.co.uk/?pg=combi&s=articles
For comparison purposes:
1772 = 3.911310908*1088 max. attempts6372 = 3.568778227*10129 max. attempts9572 = 2.489428061*10142 max. attempts
The max. attempts calculation can be a little misleading since it is a maximum, and the average password crack attempt will probably succeed in about 1/2 that number on average.
Additionally, if there is any additional known information about the password you can cut down the # of max. attempts considerably. For instance with the prior knowledge that your password is composed of two GUID's cast to character format and concatenated, I automatically know that the following 8 character positions are always hyphens: 9, 14, 19, 24, 45, 50, 55, 60. I also know that the remaining 64 character positions only have 16 possible characters each (0-9, A-F). So the new calculation is:
1664 * 18 = 1.157920892*1077
The estimates in the article you linked to appear to be using Pentium 100 MHz class machines in their estimates. Those estimates should probably take common 2.x GHz (and higher) processor machines into consideration as well.
I was finally able to put together a simple script that generates a more complex password for the SA account. It is 128 characters long and uses 81 different values. You can add more special characters if you want.
The basis for this script came from http://www.sswug.org/see/T-SQL_procedure_to_generate_passwords_for_Standard_Logins-26104
DECLARE @String varchar(81)SET @String = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz~`!@#$%^&*()_-+=?<>'
DECLARE @Cnt as intDECLARE @Pwd varchar(128)SET @Cnt = 0SET @Pwd=''WHILE @Cnt < 128BEGIN SET @Pwd=@Pwd + SUBSTRING(@String,CONVERT(tinyint,RAND()*81)+1,1) SET @Cnt=@Cnt+1ENDSELECT @pwdEXECUTE master..sp_password null,@pwd,'sa'
