October 8, 2009 at 1:36 am
Hi All
I need to check across my DB's which logins have blank passwords
Thx
It's better to fail while trying, rather than fail without trying!!!
October 8, 2009 at 2:17 am
Unless I am mistaken the MBSA tool (microsft baseline security analyser) will check for blank passwords as part of its checks.
--------------------------------------------------------------------------------------
[highlight]Recommended Articles on How to help us help you and[/highlight]
[highlight]solve commonly asked questions[/highlight]
Forum Etiquette: How to post data/code on a forum to get the best help by Jeff Moden[/url]
Managing Transaction Logs by Gail Shaw[/url]
How to post Performance problems by Gail Shaw[/url]
Help, my database is corrupt. Now what? by Gail Shaw[/url]
October 8, 2009 at 9:55 am
smthembu (10/8/2009)
Hi AllI need to check across my DB's which logins have blank passwords
Thx
In addition to these great suggestions, you can always write a brute force sqlcmd script to check for blank, "password", "sa", and other password values for each of your DB logins. I have a tool (that was purchased) that does a fantastic job of discovering weak passwords (including dictionary attack).
Having said that, examining your sqlcmd output for 1 >. will get you similar results on the cheap 😉
MJM
October 8, 2009 at 10:03 am
not used sqlping in that context before.
So sqlping will report on blank passwords or weak passwords for all of the databases on a server?
--------------------------------------------------------------------------------------
[highlight]Recommended Articles on How to help us help you and[/highlight]
[highlight]solve commonly asked questions[/highlight]
Forum Etiquette: How to post data/code on a forum to get the best help by Jeff Moden[/url]
Managing Transaction Logs by Gail Shaw[/url]
How to post Performance problems by Gail Shaw[/url]
Help, my database is corrupt. Now what? by Gail Shaw[/url]
October 8, 2009 at 10:08 am
Silverfox (10/8/2009)
not used sqlping in that context before.So sqlping will report on blank passwords or weak passwords for all of the databases on a server?
SQLPing can do blank password and dictionary password checks (you define the "dictionary"). It's more well known for SQL Server discovery as it uses all known methods to discover SQL Server instances, including registry and services scans (but you need admin rights on the boxes being scanned). This is a primary tool used by a lot of security folks, myself included.
K. Brian Kelley
@kbriankelley
October 8, 2009 at 11:02 pm
Thank you once again for suggestions:-)
It's better to fail while trying, rather than fail without trying!!!
October 8, 2009 at 11:10 pm
Hi Brian
I haven't used SQLping, may u perhaps share more light on that
Tx
It's better to fail while trying, rather than fail without trying!!!
Viewing 8 posts - 1 through 7 (of 7 total)
You must be logged in to reply to this topic. Login to reply