How Safe are Your Passwords?

  • jgama

    Mr or Mrs. 500

    Points: 509

    Comments posted to this topic are about the content posted at http://www.sqlservercentral.com/columnists/jgama/sqlserverpasswordauditing.asp

  • Antares686

    SSC Guru

    Points: 125444

    Good article. However it is only a matter of time before someone will figure out how to crack the password schema of anything. Especially if the password storage is easy to get at so security on your server against being able to see the table with the passwords is you best defense. Then fixing situations where people who would have access that could get there are removed or set rules about leaving logged in machines unattended (causal browsing is the biggest threat). And of course location and ability for others to access the machine itself is another major factor. As a Novell treacher told me once.

    quote:


    The only safe machine does not exist in reality.


  • K. Brian Kelley

    SSC Guru

    Points: 114465

    More on the weakness of the passwords:

    http://www.nextgenss.com/papers/cracking-sql-passwords.pdf

    Of course, since this technique requires access to sysxlogins, you can only implement as a sysadmin. Of course, if someone can take advantage of a SQL server vulnerability to escalate his or her access (called privilege escalation)... you get the idea.

    The software that came out of the research:

    http://www.nextgenss.com/software/ngssqlcrack.html

    The review by Steve:

    http://www.sqlservercentral.com/columnists/sjones/reviewmssqlcrack.asp

    The biggest weakness, of course, is if the network traffic can be sniffed and either multiprotocol (with encryption) or SSL are not in use.

    K. Brian Kelley

    http://www.truthsolutions.com/

    Author: Start to Finish Guide to SQL Server Performance Monitoring

    http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1

    K. Brian Kelley
    @kbriankelley

  • abhi_develops

    Say Hey Kid

    Points: 676

    Good Article.

    I agree that in a short matter of time as processors start getting faster, cracking SA passwords will be child's play.

  • K. Brian Kelley

    SSC Guru

    Points: 114465

    This isn't necessarily the case. It really depends on the encryption mechanism used.

    For instance, 40-bit encryption for SSL was cracked in '95 or '96. However true 128-bit encryption would still take millions of years. 40-bit was still in a range where it could be brute forced (started out as 100 computers in 8 days and shrunk from there). 128-bit hasn't reached a point where brute forcing it is conceivable (unless possibly you're the NSA or some group like that and even still... which is why they've asked for backdoors in encryption algorithms that are too costly to crack).

    K. Brian Kelley

    http://www.truthsolutions.com/

    Author: Start to Finish Guide to SQL Server Performance Monitoring

    http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1

    K. Brian Kelley
    @kbriankelley

  • don1941

    SSCarpal Tunnel

    Points: 4183

    quote:


    However true 128-bit encryption would still take millions of years. 40-bit was still in a range where it could be brute forced (started out as 100 computers in 8 days and shrunk from there). 128-bit hasn't reached a point where brute forcing it is conceivable (unless possibly you're the NSA or some group like that and even still...


    When you think about networked computers and the internet, the potential number of computers available for a brute force attack can become reasonable. The SETI screen saver program had hundreds of thousands of users at its peak. This program used your idle time when the screen saver was running to analyze background radio noise to search for Extra Terrestrial Intelligence (SETI).

    Google has a tool bar button now that allows you to participate in pretty much whatever someone wants to pay them for in the same way. If you break a big problem into small enough parts, you can farm it out to lots of "crackers" to solve in a short elapsed time.

    You still can't get 9 women together and have a baby in one month though. Some single-threaded things do just take time.

  • K. Brian Kelley

    SSC Guru

    Points: 114465

    The last estimate I read on cracking true 128bit encryption for SSL (not the Netscape attempt of yesteryear where only 40 bits were actually encrypted to stay in compliance with US export requirements) was if you took all the computing power on the planet currently it would take millions of millions of years.

    K. Brian Kelley

    http://www.truthsolutions.com/

    Author: Start to Finish Guide to SQL Server Performance Monitoring

    http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1

    K. Brian Kelley
    @kbriankelley

  • G.R.Prithiviraj Kulasingham

    SSCarpal Tunnel

    Points: 4104

    This is a very good article.

    So, How can we prevent our computer from attacks.

    1. Deny rights to syslogins.

    2. Deny rights to xp_ procedures

    3. Make your sa password lengthly (according to the white papers it will take only 13 seconds to crack a 8 characters password.

    4. Include upper level characters in your password (ALT+) key

    5. Monitor the trafic

    Cheers,
    Prithiviraj Kulasingham

    http://preethiviraj.blogspot.com/

  • Nicholas Wang

    Default port

    Points: 1463

    Kind of off topic but not really...

    How do one go about finding a lost / forgotten sa password? Assuming that one cannot even login to the box.

    Err... this happens to err.. my friend's *cough cough* dev box that hasn't been used for quite some time...

  • K. Brian Kelley

    SSC Guru

    Points: 114465

    NGSSQLCrack:

    http://www.ngssoftware.com/

    K. Brian Kelley

    http://www.truthsolutions.com/

    Author: Start to Finish Guide to SQL Server Performance Monitoring

    http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1

    K. Brian Kelley
    @kbriankelley

  • jgama

    Mr or Mrs. 500

    Points: 509

    Thank you. You are right, it is a matter of time and opportunity. Faster machines make brute force attacks easier, phone, email, ICQ and other faceless media allow for daring social engineering stunts and hackers with plenty of time and lots of online info will keep on trying to find loopholes. Hackers bring excitement to a DBA's life and actually, not long ago, the concept of databases that would require minimum assistance was gaining some momentum and it was the work of hackers and security analysts that stopped it.

    quote:


    Good article. However it is only a matter of time before someone will figure out how to crack the password schema of anything. Especially if the password storage is easy to get at so security on your server against being able to see the table with the passwords is you best defense. Then fixing situations where people who would have access that could get there are removed or set rules about leaving logged in machines unattended (causal browsing is the biggest threat). And of course location and ability for others to access the machine itself is another major factor. As a Novell treacher told me once.

    quote:


    The only safe machine does not exist in reality.



  • jgama

    Mr or Mrs. 500

    Points: 509

    Thank you. I based my article on NGSS work. They are the best security consultants that I can think of. Their work on SQL injection was also a pioneer and we are always learning from them.

    quote:


    More on the weakness of the passwords:

    http://www.nextgenss.com/papers/cracking-sql-passwords.pdf

    Of course, since this technique requires access to sysxlogins, you can only implement as a sysadmin. Of course, if someone can take advantage of a SQL server vulnerability to escalate his or her access (called privilege escalation)... you get the idea.

    The software that came out of the research:

    http://www.nextgenss.com/software/ngssqlcrack.html

    The review by Steve:

    http://www.sqlservercentral.com/columnists/sjones/reviewmssqlcrack.asp

    The biggest weakness, of course, is if the network traffic can be sniffed and either multiprotocol (with encryption) or SSL are not in use.

    K. Brian Kelley

    http://www.truthsolutions.com/

    Author: Start to Finish Guide to SQL Server Performance Monitoring

    http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1


Viewing 12 posts - 1 through 12 (of 12 total)

You must be logged in to reply to this topic. Login to reply