August 2, 2002 at 12:00 am
Comments posted to this topic are about the content posted at http://www.sqlservercentral.com/columnists/sjones/reviewmssqlcrack.asp
August 19, 2002 at 3:00 am
Although these utilities are useful I felt a chill go down my back the first time I saw one of these things working.
I used the toolkit from http://www.lostpasswords.com on NT and it cracked my NT password in under 30 seconds. My MS Office passwords were cracked more or less instantly.
August 19, 2002 at 9:41 am
I was surprised by this one. I thought the SQL passwords were one way hashes, and unbreakable. Apparently not.
These should scare you and make you enforce strong passwords.
Steve Jones
August 20, 2002 at 2:05 pm
I live by the concept that no matter how good your security (or password) is there will always be someone that can find a way to break it. Nothing is completely secure.
Of course this doesn't mean I don't try to keep things as secure as possible. The more complex your password the harder it will be to break.
Robert Marda
SQL Server will deliver its data any way you want it
when you give your SQL Programmer enough developing time.
Robert W. Marda
Billing and OSS Specialist - SQL Programmer
MCL Systems
August 20, 2002 at 8:56 pm
It is scary, and I'm not exactly sure what Microsoft was thinking since an all caps version of the password is in that hash, which reduces the number of possible options by a factor of 2 per character. And once you get the all caps version, it's trivial to then try all possible permutations of upper and lower case letters to get the exact password.
What makes it even worse is the simple payload they came up with to turn all user requests to look like they came from sa. Marry that with a buffer overflow, grab the passwords, import them into a SQL Server without encryption and set the crack program loose... wah-lah! the potential is there to be able to get the password for any SQL Server logins without anyone knowing better.
The old security rule applies: It's not a matter of if you have an incident, but rather when.
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1
Edited by - bkelley on 08/20/2002 8:57:12 PM
K. Brian Kelley
@kbriankelley
August 21, 2002 at 3:11 pm
Good points and thanks.
To sum up, create strong passwords and change them often!
Steve Jones
Viewing 6 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply