Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase ««12

How Safe are Your Passwords? Expand / Collapse
Author
Message
Posted Thursday, December 12, 2002 12:18 AM
SSC Rookie

SSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC Rookie

Group: General Forum Members
Last Login: Thursday, November 30, 2006 8:57 PM
Points: 31, Visits: 1
Thank you. You are right, it is a matter of time and opportunity. Faster machines make brute force attacks easier, phone, email, ICQ and other faceless media allow for daring social engineering stunts and hackers with plenty of time and lots of online info will keep on trying to find loopholes. Hackers bring excitement to a DBA's life and actually, not long ago, the concept of databases that would require minimum assistance was gaining some momentum and it was the work of hackers and security analysts that stopped it.
quote:

Good article. However it is only a matter of time before someone will figure out how to crack the password schema of anything. Especially if the password storage is easy to get at so security on your server against being able to see the table with the passwords is you best defense. Then fixing situations where people who would have access that could get there are removed or set rules about leaving logged in machines unattended (causal browsing is the biggest threat). And of course location and ability for others to access the machine itself is another major factor. As a Novell treacher told me once.

quote:
The only safe machine does not exist in reality.









Post #48906
Posted Sunday, December 15, 2002 2:31 AM
SSC Rookie

SSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC Rookie

Group: General Forum Members
Last Login: Thursday, November 30, 2006 8:57 PM
Points: 31, Visits: 1
Thank you. I based my article on NGSS work. They are the best security consultants that I can think of. Their work on SQL injection was also a pioneer and we are always learning from them.

quote:

More on the weakness of the passwords:

http://www.nextgenss.com/papers/cracking-sql-passwords.pdf

Of course, since this technique requires access to sysxlogins, you can only implement as a sysadmin. Of course, if someone can take advantage of a SQL server vulnerability to escalate his or her access (called privilege escalation)... you get the idea.

The software that came out of the research:

http://www.nextgenss.com/software/ngssqlcrack.html

The review by Steve:

http://www.sqlservercentral.com/columnists/sjones/reviewmssqlcrack.asp

The biggest weakness, of course, is if the network traffic can be sniffed and either multiprotocol (with encryption) or SSL are not in use.

K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1







Post #48907
« Prev Topic | Next Topic »

Add to briefcase ««12

Permissions Expand / Collapse