Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 

Honeywords in SQL Server

By Steve Jones,

As  we become more and more security conscious, it becomes more important not only to configure systems for better security, but also to add more monitoring and auditing to detect when problems occur. We know that at some point someone will attempt to hack our systems. Many of us have auditing set up to detect failed logins, but is that good enough?

If a hacker manages to gain access to your password hashes, and it's not a stretch these days to think that they might, wouldn't you like to know if they manage to find the plain text that corresponds to the hash? There's an idea that systems could be written to store multiple passwords for user accounts, but only one of which is valid. A separate system detects attempts to log in with the false passwords and alerts administrators to a hacking attempt.

This is an interesting idea, and while it won't solve all our problems, it will solve some. If a brute force attack occurs on an account, and multiple passwords are being tried, all of which are known to be false (the honeyword passwords), administrators can be notified, and warnings passed on to users. It doesn't help if the hacker chooses the correct password to enter first, but with enough honeywords, you reduce the chances that they will.

I don't know that I'd like to see this for SQL Server, but I certainly would like to see additional security features. Two factor authentication would be nice, perhaps even some sort of  approval process enabled that required multiple approvals for some changes. The latter would help us prevent the cowboy DBA from making changes without anyone else being aware of them.

Detection of breaches, using something like honeywords, provide another layer of security. They don't prevent hacks, but they can help us deal with them.

Steve Jones


The Voice of the DBA Podcasts

We publish three versions of the podcast each day for you to enjoy.

Everyday Jones

The podcast feeds are available at sqlservercentral.mevio.com. Comments are definitely appreciated and wanted, and you can get feeds from there. Overall RSS Feed: or now on iTunes!

Today's podcast features music by Everyday Jones. No relation, but I stumbled on to them and really like the music. Support this great duo at www.everydayjones.com.

You can also follow Steve Jones on Twitter:

Total article views: 179 | Views in the last 30 days: 1
 
Related Articles
FORUM

Intrusion Detection Systems

Are Intrusion Detection Systems services worth it?

ARTICLE

Password Help

Passwords control most of our access to computer systems and provide some level of authentication, b...

FORUM

Passwords

Storing passwords securely

ARTICLE

Finding Passwords

There was a vulnerability announced in the SQL Server password system last week, but Steve Jones doe...

ARTICLE

Podcast Announcements

Podcast Feeds

Tags
editorial    
 
Contribute

Join the most active online SQL Server Community

SQL knowledge, delivered daily, free:

Email address:  

You make SSC a better place

As a member of SQLServerCentral, you get free access to loads of fresh content: thousands of articles and SQL scripts, a library of free eBooks, a weekly database news roundup, a great Q & A platform… And it’s our huge, buzzing community of SQL Server Professionals that makes it such a success.

Join us!

Steve Jones
Editor, SQLServerCentral.com

Already a member? Jump in:

Email address:   Password:   Remember me: Forgotten your password?
Steve Jones