How Safe are Your Passwords?

Click here to monitor SSC

<a href="http://g.adspeed.net/ad.php?do=clk&zid=15220&wd=468&ht=60&pair=as" target="_blank"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=15220&wd=468&ht=60&pair=as" alt="i" width="468" height="60"/></a>

SQLServerCentral is supported by Red Gate Software Ltd.

Log in :: Register :: Not logged in

<a href="http://g.adspeed.net/ad.php?do=clk&zid=15491&wd=120&ht=300&pair=as" target="_top"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=15491&wd=120&ht=300&pair=as" alt="i" width="120" height="300"/></a>

Recent Posts

Popular Topics

Home

Home » Article Discussions » Article Discussions by Author » Discuss Content Posted by Joseph Gama » How Safe are Your Passwords?

Add to briefcase

12 posts, Page 1 of 2

1 2 »»

How Safe are Your Passwords?

Expand / Collapse

Author

Message

Posted Saturday, December 07, 2002 12:00 AM

SSC Rookie

Group: General Forum Members
Last Login: Thursday, November 30, 2006 8:57 PM
Points: 31, Visits: 1

Comments posted to this topic are about the content posted at http://www.sqlservercentral.com/columnists/jgama/sqlserverpasswordauditing.asp

Post #8659

Posted Saturday, December 07, 2002 5:32 PM

SSCrazy Eights

Group: Moderators
Last Login: Tuesday, April 09, 2013 12:53 PM
Points: 8,357, Visits: 684

Good article. However it is only a matter of time before someone will figure out how to crack the password schema of anything. Especially if the password storage is easy to get at so security on your server against being able to see the table with the passwords is you best defense. Then fixing situations where people who would have access that could get there are removed or set rules about leaving logged in machines unattended (causal browsing is the biggest threat). And of course location and ability for others to access the machine itself is another major factor. As a Novell treacher told me once.

quote:
The only safe machine does not exist in reality.

Post #48897

K. Brian Kelley

Posted Saturday, December 07, 2002 7:32 PM

Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Today @ 1:13 PM
Points: 6,584, Visits: 1,790

More on the weakness of the passwords:

http://www.nextgenss.com/papers/cracking-sql-passwords.pdf

Of course, since this technique requires access to sysxlogins, you can only implement as a sysadmin. Of course, if someone can take advantage of a SQL server vulnerability to escalate his or her access (called privilege escalation)... you get the idea.

The software that came out of the research:

http://www.nextgenss.com/software/ngssqlcrack.html

The review by Steve:

http://www.sqlservercentral.com/columnists/sjones/reviewmssqlcrack.asp

The biggest weakness, of course, is if the network traffic can be sniffed and either multiprotocol (with encryption) or SSL are not in use.

K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1

K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog |

LinkedIn | Twitter

Post #48898

Posted Monday, December 09, 2002 2:02 AM

SSC Rookie

Group: General Forum Members
Last Login: Thursday, October 22, 2009 11:55 AM
Points: 34, Visits: 2

Good Article.
I agree that in a short matter of time as processors start getting faster, cracking SA passwords will be child's play.

Post #48899

K. Brian Kelley

Posted Monday, December 09, 2002 6:42 AM

Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Today @ 1:13 PM
Points: 6,584, Visits: 1,790

This isn't necessarily the case. It really depends on the encryption mechanism used.

For instance, 40-bit encryption for SSL was cracked in '95 or '96. However true 128-bit encryption would still take millions of years. 40-bit was still in a range where it could be brute forced (started out as 100 computers in 8 days and shrunk from there). 128-bit hasn't reached a point where brute forcing it is conceivable (unless possibly you're the NSA or some group like that and even still... which is why they've asked for backdoors in encryption algorithms that are too costly to crack).

K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1

K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog |

LinkedIn | Twitter

Post #48900

Posted Monday, December 09, 2002 8:27 AM

SSC Veteran

Group: General Forum Members
Last Login: Friday, October 17, 2003 12:00 AM
Points: 299, Visits: 1

quote:

However true 128-bit encryption would still take millions of years. 40-bit was still in a range where it could be brute forced (started out as 100 computers in 8 days and shrunk from there). 128-bit hasn't reached a point where brute forcing it is conceivable (unless possibly you're the NSA or some group like that and even still...

When you think about networked computers and the internet, the potential number of computers available for a brute force attack can become reasonable. The SETI screen saver program had hundreds of thousands of users at its peak. This program used your idle time when the screen saver was running to analyze background radio noise to search for Extra Terrestrial Intelligence (SETI).

Google has a tool bar button now that allows you to participate in pretty much whatever someone wants to pay them for in the same way. If you break a big problem into small enough parts, you can farm it out to lots of "crackers" to solve in a short elapsed time.

You still can't get 9 women together and have a baby in one month though. Some single-threaded things do just take time.

Post #48901

K. Brian Kelley

Posted Monday, December 09, 2002 8:56 AM

Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Today @ 1:13 PM
Points: 6,584, Visits: 1,790

The last estimate I read on cracking true 128bit encryption for SSL (not the Netscape attempt of yesteryear where only 40 bits were actually encrypted to stay in compliance with US export requirements) was if you took all the computing power on the planet currently it would take millions of millions of years.

K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1

K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog |

LinkedIn | Twitter

Post #48902

G.R.Prithiviraj Kulasingham

Posted Tuesday, December 10, 2002 4:20 AM

SSC-Addicted

Group: General Forum Members
Last Login: Sunday, October 21, 2012 8:59 PM
Points: 421, Visits: 362

This is a very good article.
So, How can we prevent our computer from attacks.
1. Deny rights to syslogins.
2. Deny rights to xp_ procedures
3. Make your sa password lengthly (according to the white papers it will take only 13 seconds to crack a 8 characters password.
4. Include upper level characters in your password (ALT+) key
5. Monitor the trafic

Cheers,
Prithiviraj Kulasingham

http://preethiviraj.blogspot.com/

Post #48903

Posted Tuesday, December 10, 2002 10:26 AM

Valued Member

Group: General Forum Members
Last Login: Wednesday, June 07, 2006 9:45 PM
Points: 73, Visits: 1

Kind of off topic but not really...

How do one go about finding a lost / forgotten sa password? Assuming that one cannot even login to the box.

Err... this happens to err.. my friend's *cough cough* dev box that hasn't been used for quite some time...

Post #48904

K. Brian Kelley

Posted Tuesday, December 10, 2002 11:10 AM

Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Today @ 1:13 PM
Points: 6,584, Visits: 1,790

NGSSQLCrack:

http://www.ngssoftware.com/

K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1

K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog |

LinkedIn | Twitter

Post #48905

« Prev Topic | Next Topic »

Add to briefcase

12 posts, Page 1 of 2

1 2 »»

Permissions

Expand / Collapse