Home Forums Article Discussions Article Discussions by Author Discuss Content Posted by Ken Johnson Securing the SA Account in SQL Server 2005 RE: Securing the SA Account in SQL Server 2005

  • March 14, 2007 at 10:23 am

    #695013

    One problem with that password generator - you only allow 17 total characters (0-9, A-F, hypen) which makes hacking it much simpler than if you allowed 63 or more characters (A-Z, a-z, 0-9, hyphen).  Just as a simple example, a brute force attack on a 4-character password with only 17 allowable characters would take (at maximum), 83,521 attempts.  A brute force attack on a 4-character password with 63 allowable characters requires a maximum of 15,752,961 attempts.  Bute forcing a 4-character password that uses all standard keyboard-accessible printable characters (95 total) requires 81,450,625 max. attempts.

    Here's a simple password generator that takes your idea of using NEWID(), but generates significantly stronger passwords with any printable/keyboard accessible characters from SPACE (0x20) to tilde (0x7e).  This may have to be modified to eliminate certain characters if you want or need to exclude them:

    /*

    -- Requires a numbers table like this

    SELECT TOP 500 Num = IDENTITY(INT, 1, 1)

    INTO dbo.Numbers

    FROM syscolumns s1

    CROSS JOIN syscolumns s2

    ALTER TABLE dbo.Numbers

    ADD CONSTRAINT PK_Numbers

    PRIMARY KEY (Num)

    */

    -- Set this to the max length for the password to generate

    DECLARE @pwd_length INT

    SELECT @pwd_length = 255

    -- Initialize variables, varbinary work password and varchar final pwd

    DECLARE @work_pwd VARBINARY(256)

    SET @work_pwd = CAST('' AS VARBINARY(256))

    DECLARE @pwd VARCHAR(256)

    SET @pwd = ''

    -- Use NEWID() to generate somewhat "random" string of bytes

    WHILE (DATALENGTH(@work_pwd) < @pwd_length)

     SET @work_pwd = @work_pwd + CAST(NEWID() AS VARBINARY(16))

    -- Limit it to the length defined by @pwd_length

    SET @work_pwd = SUBSTRING(@work_pwd, 1, @pwd_length)

    -- Put it in a table

    CREATE TABLE #PwdChars (Num INT PRIMARY KEY NOT NULL, i INT,

     PwdChar INT)

    -- We need to account for non-printable and special characters here.  We only want

    -- keyboard accessible characters; basically SPACE (0x20) to tilde (0x7e).

    INSERT INTO #PwdChars (Num, i, PwdChar)

    SELECT n.Num, CAST(SUBSTRING(@work_pwd, n.Num, 1) AS INT),

     CASE

     WHEN CAST(SUBSTRING(@work_pwd, n.Num, 1) AS INT) < 32

      THEN CAST(SUBSTRING(@work_pwd, n.Num, 1) AS INT) + 32

     WHEN CAST(SUBSTRING(@work_pwd, n.Num, 1) AS INT) > 254

      THEN 126

     WHEN CAST(SUBSTRING(@work_pwd, n.Num, 1) AS INT) > 126

      THEN CAST(SUBSTRING(@work_pwd, n.Num, 1) AS INT) / 2

     ELSE CAST(SUBSTRING(@work_pwd, n.Num, 1) AS INT) END

    FROM dbo.Numbers n

    WHERE n.Num > 0 AND n.Num <= DATALENGTH(@work_pwd)

    -- Now loop through and build the character password

    WHILE @pwd_length > 0

    BEGIN

     SET @pwd = @pwd + CHAR(

      (SELECT PwdChar

      FROM #PwdChars

      WHERE Num = @pwd_length))

     SET @pwd_length = @pwd_length - 1

    END

    -- Clean up

    DROP TABLE #PwdChars

    -- Display it

    SELECT @pwd