SA password lost

  • manoj2001

    SSCrazy

    Points: 2145

    Is there any way to recover 'sa' password.

    I know we can reset by ALTER LOGIN and but i just want to know

    is there any way to recover it by using sp's like sp_hexadecimal and all.

    Please experts...waiting for your comments.....

  • Lynn Pettis

    SSC Guru

    Points: 442116

    None that I am aware of at this time.

  • Nadrek

    SSC-Insane

    Points: 20039

    If it was a poor or a short password, you can brute force or dictionary attack it.

    Otherwise, Elcomsoft has software to adjust the Master database directly and replace it with a new password.

  • Lynn Pettis

    SSC Guru

    Points: 442116

    This won't help recover a lost SA password, but at a previous employer I was the only DBA that had the SA password. It was a strong password (actually a phrase) that I wrote down, placed in a sealed envelop, that was placed in a known, secured (locked with limited access). When I left I made sure that my replacement knew this so that the SA password could be changed.

  • manoj2001

    SSCrazy

    Points: 2145

    so in all we can say it is impossible to recover lost password?

  • Lynn Pettis

    SSC Guru

    Points: 442116

    If you can still log in with sys admin privs (or at least security admin privs), then yes. I would not spend any more time trying to recover the lost password.

  • tedo

    SSCrazy

    Points: 2169

    if you can still login as yourself with sa priv then I would say just change the password and secure it in a safe location

  • Nadrek

    SSC-Insane

    Points: 20039

    manoj2001 (6/20/2011)


    so in all we can say it is impossible to recover lost password?

    No; not at all impossible. How fast you can do so depends on:

    A) Whether you can still recover the hash and salt from the server

    B) How long the password is

    C) How complex the character set you know the password to be is

    D) How much money you're willing to spend on GPU's.

    hashcat, and oclhashcat-lite, have modes specifically designed to execute both dictionary attacks and brute force attacks against SQL Server hashes. Speeds with advanced GPU's exceed a billion attempts a second, and multiple GPU's can be used (as well as distributed machines). At these rates, 8 character passwords with both cases, numbers, and the symbols above the numbers as well could be cracked in around a week with a single card in use.

  • duocaiduoyi2009

    SSC Enthusiast

    Points: 139

    i am glad to tell you that you can regain your SA password easily and efficiently with one software called SA password recovery.

    I experienced this one several days ago, it is useful.

    Hope this can help you.

  • narwhal

    Old Hand

    Points: 358

    manoj2001 (6/19/2011)


    Is there any way to recover 'sa' password.

    I know we can reset by ALTER LOGIN and but i just want to know

    is there any way to recover it by using sp's like sp_hexadecimal and all.

    Please experts...waiting for your comments.....

    As I know, there are some programme could solve the forgotten password problem. One of my friends told me before, you could check this How To Use page for help:

    http://www.passwordunlocker.com/products/reset-sql-password.html

    ---------------------------------------
    Quickly Recover Windows Password,Make Life Better!

  • Puneet Malhotra-314029

    SSC Enthusiast

    Points: 104

    Hi Dude,

    If you've lost 'sa' password and you're not the sysadmin on the SQL Server, there's a way to RESET the password.

    if you're sysadmin on the server, you can easily reset the password using ALTER LOGIN statement.

    but if you want to somehow recover the password from the system, that method is NOT known to me so far.

    you can recover the hash and if there's a software which can translate that hash into the password(Reverse Hashing), then it may be possible. But I haven't come across any software to do so. Hence, it's not possible to recover the password but can always reset it. Y

  • Nadrek

    SSC-Insane

    Points: 20039

    Puneet Malhotra-314029 (6/23/2011)


    you can recover the hash and if there's a software which can translate that hash into the password(Reverse Hashing), then it may be possible. But I haven't come across any software to do so. Hence, it's not possible to recover the password but can always reset it. Y

    As I've stated above, there is such software, depending on the strength of the password and how much you invest.

    Here's an article about it.

    1) Online dictionary attacks can be used, though they're slow and generate a lot of network traffic (i.e. may slow your server down): SQLPing3 has a (slow) facility for this, in addition to exceptional discovery of SQL Server instances. Metasploit Fast-Track SQL Bruter has a brute forcer, and also has intrusion capabilities, so be very careful if you use that one.

    2) Offline dictionary or brute force attacks can be used:

    The password hash and salt can be recovered from sys.syslogins by anyone with access to that. They can they be fed to software thta can attempt either dictionary (including permutated dictionary) or pure brute force attacks.

    One GPLv3 licensed tool would be cudadbcracker plus a good NVIDIA graphics card.

    Another GPU cracker is oclhashcat-lite[/url] plus a good graphics card can try more than a billion passwords a second. Be aware that the free download is not licensed for commercial use, so you'd need to contact the author for permission to use it for commercial purposes such as yours.

    Next up would be The 40 Euro PasswordsPro and a powerful CPU (or a lot of time), which isn't going to be nearly as fast as the graphics card solutions. Their Extreme GPU Bruteforcer doesn't support MSSQL yet, though you might be able to ask them to add that, as a paying

    customer, since it should be very easy for them to add.

    There's other CPU based software, but paying for the PasswordsPro license for brute forcing your own lost password is the simplest.

  • sulemacwelchqfb

    SSC Journeyman

    Points: 79

    Normally, we prefer to reset the password if we just forgot it. If you want to fully recover the password, then you need to crack it with automated programs. and it would take days to break it once the password is complex.

  • maikaouly

    Valued Member

    Points: 57

    but if you want to somehow recover the password from the system, that method is NOT known to me so far.

    you can recover the hash and if there's a software which can translate that hash into the password(Reverse Hashing), then it may be possible. But I haven't come across any software to do so. Hence, it's not possible to reset password but can always reset it. Y

    You can try some password recovery tool to reset your password, maybe it works.

  • anita_lanctot

    SSC Journeyman

    Points: 79

    duocaiduoyi2009 (6/21/2011)


    i am glad to tell you that you can regain your SA password easily and efficiently with one software called SA password recovery.

    I experienced this one several days ago, it is useful.

    Hope this can help you.

    It works great! Thanks for sharing!

Viewing 15 posts - 1 through 15 (of 15 total)

You must be logged in to reply to this topic. Login to reply