Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Password Ninjas


Password Ninjas

Author
Message
Henry_Lee
Henry_Lee
Old Hand
Old Hand (349 reputation)Old Hand (349 reputation)Old Hand (349 reputation)Old Hand (349 reputation)Old Hand (349 reputation)Old Hand (349 reputation)Old Hand (349 reputation)Old Hand (349 reputation)

Group: General Forum Members
Points: 349 Visits: 1658
How is this different than Password Safe? Just wondering if I'm missing something. I sync through dropbox, but the safe itself is encrypted on my machines/devices and decrypted there as well.


Hey Steve,

Sorry, I might have made that a little confusing. I didn't mean to compare PasswordSafe and LastPass directly - my description was really meant to distinguish LastPass's model from other online providers, for example Dropbox.

Dropbox manages your encryption keys, so they can decrypt your data. Contrast that with LastPass - or SpiderOak would be a great comparison. SpiderOak is an online storage / syncing provider just like Dropbox. LastPass and SpiderOak do not have your encryption keys - they can not decrypt your data.

Of course, you could put a PasswordSafe or TrueCrypt file in Dropbox and they couldn't read it, but that's you working around Dropbox's inherent insecurity by encrypting your data locally. I'm not suggesting there's anything wrong with this approach, I just think it is important folks distinguish between what Dropbox does versus what companies like LastPass and SpiderOak do.
Eric M Russell
Eric M Russell
SSCarpal Tunnel
SSCarpal Tunnel (4.6K reputation)SSCarpal Tunnel (4.6K reputation)SSCarpal Tunnel (4.6K reputation)SSCarpal Tunnel (4.6K reputation)SSCarpal Tunnel (4.6K reputation)SSCarpal Tunnel (4.6K reputation)SSCarpal Tunnel (4.6K reputation)SSCarpal Tunnel (4.6K reputation)

Group: General Forum Members
Points: 4643 Visits: 9579
Steve Jones - SSC Editor (7/19/2013)
djackson 22568 (7/18/2013)

Unmentioned in the article is an issue the industry needs to address, which is that a lot of vendors develop software that requires a specific password in order to function. Sometimes these are database accounts and passwords, sometimes they are internal application accounts, but I have seen vendors request network accounts that must have a particular name and password.



Thanks for the mention here, Dave. This is a huge problem, and one I worry about. I always try System and Manager on Oracle instances, just to see. Those defaults are bad, but the back doors or "support" logins are horrible.


For identifying weak SQL Server accounts, I use the following.
-- There are several frequently used password lists posted on the web. 
-- Here are a few, but perhaps 100 or more could be inserted here.
declare @pw table (pwtext varchar(180) not null primary key);
insert into @pw (pwtext)
values ('password'), ('123456'), ('12345678'), ('1234'), ('qwerty'), ('12345');
select name, type_desc, create_date, modify_date, password_hash
from sys.sql_logins l
join @pw pw on pwdcompare(pw.pwtext, l.password_hash) = 1;

-- Query accounts with empty password:
select name, type_desc, create_date, modify_date, password_hash
from sys.sql_logins
where pwdcompare('', password_hash) = 1;

-- Query accounts where password = account name:
select name, type_desc, create_date, modify_date, password_hash
from sys.sql_logins
where pwdcompare(name, password_hash) = 1;



As for 3rd party service accounts, we often times have to live with the fact that it has to exist, but we can still control what role membership and permissions it has. They may reccomend sysadmin, but you can grant them dbo membership on the application database, sqlagent, and perhaps view server state as needed.


"The universe is complicated and for the most part beyond your control, but your life is only as complicated as you choose it to be."
Steve Jones
Steve Jones
SSC-Dedicated
SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)

Group: Administrators
Points: 36242 Visits: 18751
Henry_Lee (7/19/2013)
How is this different than Password Safe? Just wondering if I'm missing something. I sync through dropbox, but the safe itself is encrypted on my machines/devices and decrypted there as well.


Hey Steve,

Sorry, I might have made that a little confusing. I didn't mean to compare PasswordSafe and LastPass directly - my description was really meant to distinguish LastPass's model from other online providers, for example Dropbox.

Dropbox manages your encryption keys, so they can decrypt your data. Contrast that with LastPass - or SpiderOak would be a great comparison. SpiderOak is an online storage / syncing provider just like Dropbox. LastPass and SpiderOak do not have your encryption keys - they can not decrypt your data.

Of course, you could put a PasswordSafe or TrueCrypt file in Dropbox and they couldn't read it, but that's you working around Dropbox's inherent insecurity by encrypting your data locally. I'm not suggesting there's anything wrong with this approach, I just think it is important folks distinguish between what Dropbox does versus what companies like LastPass and SpiderOak do.


that makes sense. For a minute you had me worried. Smile

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
steve.alston
steve.alston
Grasshopper
Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)

Group: General Forum Members
Points: 13 Visits: 96
I've used passwordsafe previously and I'm currently using the portable version of KeePass Password Safe.
However for my work network login I have my password list printed out in 18 pt and stuck up alongside my monitor.

I have been harrassed by security for this and point out that they can try to hack my password. I'll even tell them which one I'm using.

The password list contains makes and models the cars I've owned, the password is the registration number, possibly with a shifted number suffix to give enough characters.

And if anyone knows the registration number of the Vauxhall Victor I owned in 1972 then they can have my account.
marlon.seton
marlon.seton
SSC Eights!
SSC Eights! (845 reputation)SSC Eights! (845 reputation)SSC Eights! (845 reputation)SSC Eights! (845 reputation)SSC Eights! (845 reputation)SSC Eights! (845 reputation)SSC Eights! (845 reputation)SSC Eights! (845 reputation)

Group: General Forum Members
Points: 845 Visits: 319
Rod at work (7/18/2013)
This topic brings to me an incident I saw at a state agency I used to work at, so please indulge me as a relate this war story. This is some years ago, but still the whole issue of passwords and maintaining secure passwords has been around for quite some time. While I was there, the state capital IT sent out a message to all state agencies warning everyone that no one should write their password on a sticky note and put it on the monitor or anywhere else near the computer. Failure to comply with this would result in severe discipline, up to and including termination. At this particular state agency where I worked, there were certain areas (labs and such) where many people shared a common PC. The edict from the state IT was something everyone took seriously, but I also witnessed how ingenious people can be, in finding ways to comply to the letter of the law, but still break the spirit of the law. This was back when Windows had a screensaver option to allow you to write a text message, as the screen saver. So what they did was write the text, "The password is " followed by what the password was.

I had to laugh.


If I used text speak, I'd write LOL, but I don't so I won't. Still, it did raise a chuckle.
marlon.seton
marlon.seton
SSC Eights!
SSC Eights! (845 reputation)SSC Eights! (845 reputation)SSC Eights! (845 reputation)SSC Eights! (845 reputation)SSC Eights! (845 reputation)SSC Eights! (845 reputation)SSC Eights! (845 reputation)SSC Eights! (845 reputation)

Group: General Forum Members
Points: 845 Visits: 319
steve.alston (7/22/2013)
And if anyone knows the registration number of the Vauxhall Victor I owned in 1972 then they can have my account.


Well, if it was a 1972 model, I'd know it ends in K or L, that it's three letters, one, two or three numbers, then the K or L, none of the first three letters is a Z and there's an S, or there isn't an S, depending on whether the car came from Scotland or not. Even with the number/letter transformations, that's not that many combinations.
Sean Lange
Sean Lange
SSCoach
SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)

Group: General Forum Members
Points: 16632 Visits: 17024
marlon.seton (7/24/2013)
[quote]
If I used text speak, I'd write LOL, but I don't so I won't.


But you did write it. ;-)

_______________________________________________________________

Need help? Help us help you.

Read the article at http://www.sqlservercentral.com/articles/Best+Practices/61537/ for best practices on asking questions.

Need to split a string? Try Jeff Moden's splitter.

Cross Tabs and Pivots, Part 1 – Converting Rows to Columns
Cross Tabs and Pivots, Part 2 - Dynamic Cross Tabs
Understanding and Using APPLY (Part 1)
Understanding and Using APPLY (Part 2)
marlon.seton
marlon.seton
SSC Eights!
SSC Eights! (845 reputation)SSC Eights! (845 reputation)SSC Eights! (845 reputation)SSC Eights! (845 reputation)SSC Eights! (845 reputation)SSC Eights! (845 reputation)SSC Eights! (845 reputation)SSC Eights! (845 reputation)

Group: General Forum Members
Points: 845 Visits: 319
Sean Lange (7/24/2013)
marlon.seton (7/24/2013)
[quote]
If I used text speak, I'd write LOL, but I don't so I won't.


But you did write it. ;-)

True, but I couldn't really write "If I used text speak, I'd write , but I don't so I won't", could I?
SQLRNNR
SQLRNNR
SSC-Insane
SSC-Insane (21K reputation)SSC-Insane (21K reputation)SSC-Insane (21K reputation)SSC-Insane (21K reputation)SSC-Insane (21K reputation)SSC-Insane (21K reputation)SSC-Insane (21K reputation)SSC-Insane (21K reputation)

Group: General Forum Members
Points: 21105 Visits: 18259
I have used PasswordSafe, Keepass and LastPass.

I prefer PasswordSafe of the three but all are just fine.



Jason AKA CirqueDeSQLeil
I have given a name to my pain...
MCM SQL Server, MVP


SQL RNNR

Posting Performance Based Questions - Gail Shaw

Eric M Russell
Eric M Russell
SSCarpal Tunnel
SSCarpal Tunnel (4.6K reputation)SSCarpal Tunnel (4.6K reputation)SSCarpal Tunnel (4.6K reputation)SSCarpal Tunnel (4.6K reputation)SSCarpal Tunnel (4.6K reputation)SSCarpal Tunnel (4.6K reputation)SSCarpal Tunnel (4.6K reputation)SSCarpal Tunnel (4.6K reputation)

Group: General Forum Members
Points: 4643 Visits: 9579
My Lenovo laptop came bundled with something called VeriFace, which can substitute facial recognition for login password. It also appears to encrypt files and folders using using facial recognition. However, I've never used it.


"The universe is complicated and for the most part beyond your control, but your life is only as complicated as you choose it to be."
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search