Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


How to recover a SQL Server login password.


How to recover a SQL Server login password.

Author
Message
Geoff A
Geoff A
SSChasing Mays
SSChasing Mays (606 reputation)SSChasing Mays (606 reputation)SSChasing Mays (606 reputation)SSChasing Mays (606 reputation)SSChasing Mays (606 reputation)SSChasing Mays (606 reputation)SSChasing Mays (606 reputation)SSChasing Mays (606 reputation)

Group: General Forum Members
Points: 606 Visits: 1790
Comments posted to this topic are about the item How to recover a SQL Server login password.
Wayne Evans-440401
Wayne Evans-440401
SSC-Enthusiastic
SSC-Enthusiastic (127 reputation)SSC-Enthusiastic (127 reputation)SSC-Enthusiastic (127 reputation)SSC-Enthusiastic (127 reputation)SSC-Enthusiastic (127 reputation)SSC-Enthusiastic (127 reputation)SSC-Enthusiastic (127 reputation)SSC-Enthusiastic (127 reputation)

Group: General Forum Members
Points: 127 Visits: 272
Nice. Knew there must be a tool to do this

I can see my pcs graphics card will be busy this afternoon to see how long it takes to break my pass



Wayne

Did you get access denied? Great the security works.

Carmelo Messina
Carmelo Messina
Forum Newbie
Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)

Group: General Forum Members
Points: 1 Visits: 59
Hi,

in my system

select name, password_hash
from sys.sql_logins

returns null for password_hash for simple users.
so what permissions is required?

Carmelo
BenWard
BenWard
SSC-Addicted
SSC-Addicted (437 reputation)SSC-Addicted (437 reputation)SSC-Addicted (437 reputation)SSC-Addicted (437 reputation)SSC-Addicted (437 reputation)SSC-Addicted (437 reputation)SSC-Addicted (437 reputation)SSC-Addicted (437 reputation)

Group: General Forum Members
Points: 437 Visits: 821
Very useful article, but I can't help but wonder if this was just an excuse to show off that you have a 7970 clocked at 1010MHz!

I read some time ago that very long but easy to remember pass-phrases like peanutbutterandjellysandwiches actually take a password cracker longer to answer than supposedly safe passwords like for example Z34d*&1a.

Alas I don't have access/permission to play with this tool at work - any chance you could run up a benchmark/test or comment on a long pass-phrase like this?

I wonder if this technology supports crossfireX ... BigGrin

Ben

^ Thats me!


----------------------------------------
01010111011010000110000101110100 01100001 0110001101101111011011010111000001101100011001010111010001100101 01110100011010010110110101100101 011101110110000101110011011101000110010101110010
----------------------------------------
Wayne Evans-440401
Wayne Evans-440401
SSC-Enthusiastic
SSC-Enthusiastic (127 reputation)SSC-Enthusiastic (127 reputation)SSC-Enthusiastic (127 reputation)SSC-Enthusiastic (127 reputation)SSC-Enthusiastic (127 reputation)SSC-Enthusiastic (127 reputation)SSC-Enthusiastic (127 reputation)SSC-Enthusiastic (127 reputation)

Group: General Forum Members
Points: 127 Visits: 272
slightly off topic: For the likes of windows passwords back in the 2000/2003 server days, it looked to the lay person (me) that, only stored the first 8 characters were encrypted in the SAM (no idea what 2008/2012 does) The remaining characters were readable (with a tool like l0pht), so to use Bens example, it would show as

********tterandjellysandwiches

pre any bruteforce decryption. A human could probably figure out the missing words, or at least know not to bother with numbers, uppercase or symbols for the brute force crack.

Maybe using long alphanumeric + symbols passwords is the way forward again to make the delay too long for the brute force method to find the password i.e. before the important passwords get changed

Must investigate to prove this one way or another to myself! Smile



Wayne

Did you get access denied? Great the security works.

Geoff A
Geoff A
SSChasing Mays
SSChasing Mays (606 reputation)SSChasing Mays (606 reputation)SSChasing Mays (606 reputation)SSChasing Mays (606 reputation)SSChasing Mays (606 reputation)SSChasing Mays (606 reputation)SSChasing Mays (606 reputation)SSChasing Mays (606 reputation)

Group: General Forum Members
Points: 606 Visits: 1790
BenWard (3/4/2013)
Very useful article, but I can't help but wonder if this was just an excuse to show off that you have a 7970 clocked at 1010MHz!

I read some time ago that very long but easy to remember pass-phrases like peanutbutterandjellysandwiches actually take a password cracker longer to answer than supposedly safe passwords like for example Z34d*&1a.

Alas I don't have access/permission to play with this tool at work - any chance you could run up a benchmark/test or comment on a long pass-phrase like this?

I wonder if this technology supports crossfireX ... BigGrin


crossfire is supported. so is SLI if you use NVIDIA.
i am not bragging. if i were i would tell you I actually have an HP workstation with 2 XEON procs and crossfired 7970's
your 30 character password is stronger than your 10 character password.

you have to use the CPU version of hashcat to crack 30 characters and with 16 cores it would still take over 100 years! I suppose if you have a rack of Cisco UCS's at your dispossal, you could get that down to a handful of days.....
BenWard
BenWard
SSC-Addicted
SSC-Addicted (437 reputation)SSC-Addicted (437 reputation)SSC-Addicted (437 reputation)SSC-Addicted (437 reputation)SSC-Addicted (437 reputation)SSC-Addicted (437 reputation)SSC-Addicted (437 reputation)SSC-Addicted (437 reputation)

Group: General Forum Members
Points: 437 Visits: 821
excellent - thanks for the info.

I've decided to do some maths.

If you used a dictionary based brute force it might feasibly take less time I suppose depending on how many words were in your dictionary.

The Oxford English dictionary has ~ 220,000 words plus they estimate more than 8000 additional words are in use.

the number of possible combinations on a 5 word pass-phrase like peanut butter and jelly sandwiches would be 228000^5 or:
616132666368000000000000000

for a letter-by-letter brute force attack you'd be looking at 26^30 or:
~281319890128474591925862102961600000000000

an 8-character 'secure' password has roughly 80 different characters you might expect to see used 80^8:
1677721600000000


so a dictionary attack is dramatically quicker on the passphrase than character by character but is easilly scuppered by throwing the number 5 into the middle of a word, using a French word etc. Even with the dictionary attack it is still hugely more effective than the regular 8 character model in use by most places.


Fun times.

Ben

^ Thats me!


----------------------------------------
01010111011010000110000101110100 01100001 0110001101101111011011010111000001101100011001010111010001100101 01110100011010010110110101100101 011101110110000101110011011101000110010101110010
----------------------------------------
SQLCharger
SQLCharger
SSC-Enthusiastic
SSC-Enthusiastic (178 reputation)SSC-Enthusiastic (178 reputation)SSC-Enthusiastic (178 reputation)SSC-Enthusiastic (178 reputation)SSC-Enthusiastic (178 reputation)SSC-Enthusiastic (178 reputation)SSC-Enthusiastic (178 reputation)SSC-Enthusiastic (178 reputation)

Group: General Forum Members
Points: 178 Visits: 1400
Scary and unsettling.

More reason to ensure access to master db is restricted (backups too!)

Long live long passwords:-D

Cheers,

JohnA

MCM: SQL2008
paul.knibbs
paul.knibbs
SSCommitted
SSCommitted (2K reputation)SSCommitted (2K reputation)SSCommitted (2K reputation)SSCommitted (2K reputation)SSCommitted (2K reputation)SSCommitted (2K reputation)SSCommitted (2K reputation)SSCommitted (2K reputation)

Group: General Forum Members
Points: 1972 Visits: 6213
Wayne Evans-440401 (3/4/2013)
slightly off topic: For the likes of windows passwords back in the 2000/2003 server days, it looked to the lay person (me) that, only stored the first 8 characters were encrypted in the SAM (no idea what 2008/2012 does) The remaining characters were readable (with a tool like l0pht), so to use Bens example, it would show as

********tterandjellysandwiches


It didn't quite work that way. The old LAN Manager password system that was used prior to Kerberos authentication split the password into two 7-character chunks and encrypted them separately--it was thus possible for a password cracker to deal with each half individually and work much faster. It also wasn't case sensitive, massively reducing the possible list of passwords any cracker needed to check. Note that Windows 2000 and 2003 would still generate a LAN Manager hash for any passwords shorter than 15 characters in order to maintain backward compatibility with older versions of Windows that didn't recognise Kerberos.

The password specified above would be too long to get an LM hash on Windows 2k/2k3, so you'd only have a problem if you were trying to use it on a pre-Active Directory domain. It would get split into PEANUTB and UTTERAN, and since both of those are simple dictionary words with one or two letters attached, would be crackable extremely easily.
Jeff Moden
Jeff Moden
SSC-Forever
SSC-Forever (45K reputation)SSC-Forever (45K reputation)SSC-Forever (45K reputation)SSC-Forever (45K reputation)SSC-Forever (45K reputation)SSC-Forever (45K reputation)SSC-Forever (45K reputation)SSC-Forever (45K reputation)

Group: General Forum Members
Points: 45038 Visits: 39893
Wow! Awesome article, Geoff! This is spooky stuff. I knew that passwords mostly kept the honest man honest because there's lots of ways to crack them especially with the power built into some of these bloody video cards. I just had no idea how fast they really were. Thank you for the time you spent on this article. It's going to help me a lot.

--Jeff Moden

RBAR is pronounced ree-bar and is a Modenism for Row-By-Agonizing-Row.
First step towards the paradigm shift of writing Set Based code:
Stop thinking about what you want to do to a row... think, instead, of what you want to do to a column.
Although they tell us that they want it real bad, our primary goal is to ensure that we dont actually give it to them that way.
Although change is inevitable, change for the better is not.
Just because you can do something in PowerShell, doesnt mean you should. Wink

Helpful Links:
How to post code problems
How to post performance problems
Forum FAQs
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search