SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


How Safe are Your Passwords?


How Safe are Your Passwords?

Author
Message
jgama
jgama
SSC-Enthusiastic
SSC-Enthusiastic (111 reputation)SSC-Enthusiastic (111 reputation)SSC-Enthusiastic (111 reputation)SSC-Enthusiastic (111 reputation)SSC-Enthusiastic (111 reputation)SSC-Enthusiastic (111 reputation)SSC-Enthusiastic (111 reputation)SSC-Enthusiastic (111 reputation)

Group: General Forum Members
Points: 111 Visits: 1
Comments posted to this topic are about the content posted at http://www.sqlservercentral.com/columnists/jgama/sqlserverpasswordauditing.asp



Antares686
Antares686
SSC-Dedicated
SSC-Dedicated (34K reputation)SSC-Dedicated (34K reputation)SSC-Dedicated (34K reputation)SSC-Dedicated (34K reputation)SSC-Dedicated (34K reputation)SSC-Dedicated (34K reputation)SSC-Dedicated (34K reputation)SSC-Dedicated (34K reputation)

Group: Moderators
Points: 34172 Visits: 803
Good article. However it is only a matter of time before someone will figure out how to crack the password schema of anything. Especially if the password storage is easy to get at so security on your server against being able to see the table with the passwords is you best defense. Then fixing situations where people who would have access that could get there are removed or set rules about leaving logged in machines unattended (causal browsing is the biggest threat). And of course location and ability for others to access the machine itself is another major factor. As a Novell treacher told me once.

quote:
The only safe machine does not exist in reality.




K. Brian Kelley
K. Brian Kelley
Keeper of the Duck
Keeper of the Duck (32K reputation)

Group: Moderators
Points: 32598 Visits: 1917
More on the weakness of the passwords:

http://www.nextgenss.com/papers/cracking-sql-passwords.pdf

Of course, since this technique requires access to sysxlogins, you can only implement as a sysadmin. Of course, if someone can take advantage of a SQL server vulnerability to escalate his or her access (called privilege escalation)... you get the idea.

The software that came out of the research:

http://www.nextgenss.com/software/ngssqlcrack.html

The review by Steve:

http://www.sqlservercentral.com/columnists/sjones/reviewmssqlcrack.asp

The biggest weakness, of course, is if the network traffic can be sniffed and either multiprotocol (with encryption) or SSL are not in use.

K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1

K. Brian Kelley
@‌kbriankelley
abhi_develops
abhi_develops
SSC-Enthusiastic
SSC-Enthusiastic (172 reputation)SSC-Enthusiastic (172 reputation)SSC-Enthusiastic (172 reputation)SSC-Enthusiastic (172 reputation)SSC-Enthusiastic (172 reputation)SSC-Enthusiastic (172 reputation)SSC-Enthusiastic (172 reputation)SSC-Enthusiastic (172 reputation)

Group: General Forum Members
Points: 172 Visits: 2
Good Article.
I agree that in a short matter of time as processors start getting faster, cracking SA passwords will be child's play.




K. Brian Kelley
K. Brian Kelley
Keeper of the Duck
Keeper of the Duck (32K reputation)

Group: Moderators
Points: 32598 Visits: 1917
This isn't necessarily the case. It really depends on the encryption mechanism used.

For instance, 40-bit encryption for SSL was cracked in '95 or '96. However true 128-bit encryption would still take millions of years. 40-bit was still in a range where it could be brute forced (started out as 100 computers in 8 days and shrunk from there). 128-bit hasn't reached a point where brute forcing it is conceivable (unless possibly you're the NSA or some group like that and even still... which is why they've asked for backdoors in encryption algorithms that are too costly to crack).


K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1

K. Brian Kelley
@‌kbriankelley
don1941
don1941
Ten Centuries
Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)

Group: General Forum Members
Points: 1211 Visits: 1
quote:

However true 128-bit encryption would still take millions of years. 40-bit was still in a range where it could be brute forced (started out as 100 computers in 8 days and shrunk from there). 128-bit hasn't reached a point where brute forcing it is conceivable (unless possibly you're the NSA or some group like that and even still...

When you think about networked computers and the internet, the potential number of computers available for a brute force attack can become reasonable. The SETI screen saver program had hundreds of thousands of users at its peak. This program used your idle time when the screen saver was running to analyze background radio noise to search for Extra Terrestrial Intelligence (SETI).

Google has a tool bar button now that allows you to participate in pretty much whatever someone wants to pay them for in the same way. If you break a big problem into small enough parts, you can farm it out to lots of "crackers" to solve in a short elapsed time.


You still can't get 9 women together and have a baby in one month though. Some single-threaded things do just take time.




K. Brian Kelley
K. Brian Kelley
Keeper of the Duck
Keeper of the Duck (32K reputation)

Group: Moderators
Points: 32598 Visits: 1917
The last estimate I read on cracking true 128bit encryption for SSL (not the Netscape attempt of yesteryear where only 40 bits were actually encrypted to stay in compliance with US export requirements) was if you took all the computing power on the planet currently it would take millions of millions of years.


K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1

K. Brian Kelley
@‌kbriankelley
G.R.Prithiviraj Kulasingham
G.R.Prithiviraj Kulasingham
Ten Centuries
Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)

Group: General Forum Members
Points: 1232 Visits: 375
This is a very good article.
So, How can we prevent our computer from attacks.
1. Deny rights to syslogins.
2. Deny rights to xp_ procedures
3. Make your sa password lengthly (according to the white papers it will take only 13 seconds to crack a 8 characters password.
4. Include upper level characters in your password (ALT+) key
5. Monitor the trafic

Cheers,
Prithiviraj Kulasingham

http://preethiviraj.blogspot.com/
Nicholas Wang
Nicholas Wang
Old Hand
Old Hand (305 reputation)Old Hand (305 reputation)Old Hand (305 reputation)Old Hand (305 reputation)Old Hand (305 reputation)Old Hand (305 reputation)Old Hand (305 reputation)Old Hand (305 reputation)

Group: General Forum Members
Points: 305 Visits: 1
Kind of off topic but not really...

How do one go about finding a lost / forgotten sa password? Assuming that one cannot even login to the box.

Err... this happens to err.. my friend's *cough cough* dev box that hasn't been used for quite some time...



K. Brian Kelley
K. Brian Kelley
Keeper of the Duck
Keeper of the Duck (32K reputation)

Group: Moderators
Points: 32598 Visits: 1917
NGSSQLCrack:

http://www.ngssoftware.com/


K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1

K. Brian Kelley
@‌kbriankelley
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search