Blog Post

SMO "leaks" SQL login passwords (in memory) and (some) SecureStrings in clear-text


Updated 2018-11-04: Expanded test code, renamed the

title of the post so it's clearer.

SMO (SQL Server Management Objects) are the .NET classes underpinning SSMS

(SQL Server Management Studio) and all good PowerShell that interfaces with SQL


SMO connects to SQL Server using the ADO.NET SQLClient library which has 13+ years

of features which help mask the passwords you pass in for SQL Authentication. SMO

bypasses some of those features to often leak the passwords in clear-text.

We'll prove it through repeatable tests that can be used to track if Microsoft

fix the problem or not.