Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase 12»»

How Safe are Your Passwords? Expand / Collapse
Author
Message
Posted Saturday, December 7, 2002 12:00 AM
SSC Rookie

SSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC Rookie

Group: General Forum Members
Last Login: Thursday, November 30, 2006 8:57 PM
Points: 31, Visits: 1
Comments posted to this topic are about the content posted at http://www.sqlservercentral.com/columnists/jgama/sqlserverpasswordauditing.asp


Post #8659
Posted Saturday, December 7, 2002 5:32 PM
SSCrazy Eights

SSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy Eights

Group: Moderators
Last Login: Yesterday @ 1:24 PM
Points: 8,370, Visits: 743
Good article. However it is only a matter of time before someone will figure out how to crack the password schema of anything. Especially if the password storage is easy to get at so security on your server against being able to see the table with the passwords is you best defense. Then fixing situations where people who would have access that could get there are removed or set rules about leaving logged in machines unattended (causal browsing is the biggest threat). And of course location and ability for others to access the machine itself is another major factor. As a Novell treacher told me once.

quote:
The only safe machine does not exist in reality.





Post #48897
Posted Saturday, December 7, 2002 7:32 PM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Friday, September 26, 2014 7:52 AM
Points: 6,624, Visits: 1,873
More on the weakness of the passwords:

http://www.nextgenss.com/papers/cracking-sql-passwords.pdf

Of course, since this technique requires access to sysxlogins, you can only implement as a sysadmin. Of course, if someone can take advantage of a SQL server vulnerability to escalate his or her access (called privilege escalation)... you get the idea.

The software that came out of the research:

http://www.nextgenss.com/software/ngssqlcrack.html

The review by Steve:

http://www.sqlservercentral.com/columnists/sjones/reviewmssqlcrack.asp

The biggest weakness, of course, is if the network traffic can be sniffed and either multiprotocol (with encryption) or SSL are not in use.

K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1


K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #48898
Posted Monday, December 9, 2002 2:02 AM
SSC Rookie

SSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC Rookie

Group: General Forum Members
Last Login: Thursday, October 22, 2009 11:55 AM
Points: 34, Visits: 2
Good Article.
I agree that in a short matter of time as processors start getting faster, cracking SA passwords will be child's play.





Post #48899
Posted Monday, December 9, 2002 6:42 AM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Friday, September 26, 2014 7:52 AM
Points: 6,624, Visits: 1,873
This isn't necessarily the case. It really depends on the encryption mechanism used.

For instance, 40-bit encryption for SSL was cracked in '95 or '96. However true 128-bit encryption would still take millions of years. 40-bit was still in a range where it could be brute forced (started out as 100 computers in 8 days and shrunk from there). 128-bit hasn't reached a point where brute forcing it is conceivable (unless possibly you're the NSA or some group like that and even still... which is why they've asked for backdoors in encryption algorithms that are too costly to crack).


K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1


K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #48900
Posted Monday, December 9, 2002 8:27 AM
SSC Veteran

SSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC Veteran

Group: General Forum Members
Last Login: Friday, October 17, 2003 12:00 AM
Points: 299, Visits: 1
quote:

However true 128-bit encryption would still take millions of years. 40-bit was still in a range where it could be brute forced (started out as 100 computers in 8 days and shrunk from there). 128-bit hasn't reached a point where brute forcing it is conceivable (unless possibly you're the NSA or some group like that and even still...

When you think about networked computers and the internet, the potential number of computers available for a brute force attack can become reasonable. The SETI screen saver program had hundreds of thousands of users at its peak. This program used your idle time when the screen saver was running to analyze background radio noise to search for Extra Terrestrial Intelligence (SETI).

Google has a tool bar button now that allows you to participate in pretty much whatever someone wants to pay them for in the same way. If you break a big problem into small enough parts, you can farm it out to lots of "crackers" to solve in a short elapsed time.


You still can't get 9 women together and have a baby in one month though. Some single-threaded things do just take time.





Post #48901
Posted Monday, December 9, 2002 8:56 AM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Friday, September 26, 2014 7:52 AM
Points: 6,624, Visits: 1,873
The last estimate I read on cracking true 128bit encryption for SSL (not the Netscape attempt of yesteryear where only 40 bits were actually encrypted to stay in compliance with US export requirements) was if you took all the computing power on the planet currently it would take millions of millions of years.


K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1


K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #48902
Posted Tuesday, December 10, 2002 4:20 AM
SSC-Addicted

SSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-Addicted

Group: General Forum Members
Last Login: Tuesday, September 16, 2014 1:00 PM
Points: 421, Visits: 364
This is a very good article.
So, How can we prevent our computer from attacks.
1. Deny rights to syslogins.
2. Deny rights to xp_ procedures
3. Make your sa password lengthly (according to the white papers it will take only 13 seconds to crack a 8 characters password.
4. Include upper level characters in your password (ALT+) key
5. Monitor the trafic


Cheers,
Prithiviraj Kulasingham

http://preethiviraj.blogspot.com/
Post #48903
Posted Tuesday, December 10, 2002 10:26 AM
Valued Member

Valued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued Member

Group: General Forum Members
Last Login: Wednesday, June 7, 2006 9:45 PM
Points: 73, Visits: 1
Kind of off topic but not really...

How do one go about finding a lost / forgotten sa password? Assuming that one cannot even login to the box.

Err... this happens to err.. my friend's *cough cough* dev box that hasn't been used for quite some time...




Post #48904
Posted Tuesday, December 10, 2002 11:10 AM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Friday, September 26, 2014 7:52 AM
Points: 6,624, Visits: 1,873
NGSSQLCrack:

http://www.ngssoftware.com/


K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1


K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #48905
« Prev Topic | Next Topic »

Add to briefcase 12»»

Permissions Expand / Collapse