SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


How Safe are Your Passwords?


How Safe are Your Passwords?

Author
Message
jgama
jgama
SSC Rookie
SSC Rookie (49 reputation)SSC Rookie (49 reputation)SSC Rookie (49 reputation)SSC Rookie (49 reputation)SSC Rookie (49 reputation)SSC Rookie (49 reputation)SSC Rookie (49 reputation)SSC Rookie (49 reputation)

Group: General Forum Members
Points: 49 Visits: 1
Thank you. You are right, it is a matter of time and opportunity. Faster machines make brute force attacks easier, phone, email, ICQ and other faceless media allow for daring social engineering stunts and hackers with plenty of time and lots of online info will keep on trying to find loopholes. Hackers bring excitement to a DBA's life and actually, not long ago, the concept of databases that would require minimum assistance was gaining some momentum and it was the work of hackers and security analysts that stopped it.
quote:

Good article. However it is only a matter of time before someone will figure out how to crack the password schema of anything. Especially if the password storage is easy to get at so security on your server against being able to see the table with the passwords is you best defense. Then fixing situations where people who would have access that could get there are removed or set rules about leaving logged in machines unattended (causal browsing is the biggest threat). And of course location and ability for others to access the machine itself is another major factor. As a Novell treacher told me once.

quote:
The only safe machine does not exist in reality.








jgama
jgama
SSC Rookie
SSC Rookie (49 reputation)SSC Rookie (49 reputation)SSC Rookie (49 reputation)SSC Rookie (49 reputation)SSC Rookie (49 reputation)SSC Rookie (49 reputation)SSC Rookie (49 reputation)SSC Rookie (49 reputation)

Group: General Forum Members
Points: 49 Visits: 1
Thank you. I based my article on NGSS work. They are the best security consultants that I can think of. Their work on SQL injection was also a pioneer and we are always learning from them.

quote:

More on the weakness of the passwords:

http://www.nextgenss.com/papers/cracking-sql-passwords.pdf

Of course, since this technique requires access to sysxlogins, you can only implement as a sysadmin. Of course, if someone can take advantage of a SQL server vulnerability to escalate his or her access (called privilege escalation)... you get the idea.

The software that came out of the research:

http://www.nextgenss.com/software/ngssqlcrack.html

The review by Steve:

http://www.sqlservercentral.com/columnists/sjones/reviewmssqlcrack.asp

The biggest weakness, of course, is if the network traffic can be sniffed and either multiprotocol (with encryption) or SSL are not in use.

K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1






Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search