SQL user password hash algorithm and salt value

Question

Post reply

SQL user password hash algorithm and salt value

SQL!$@w$0ME

SSChampion

Points: 12349
More actions
September 22, 2014 at 12:59 pm

#293517

Hi All.. How to find hash algorithm and salt value for sql logins in sql server 2005.

Viewing 8 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic. Login to reply

Gail Shaw SSC Guru Points: 1004504 More actions · Answer 1

The algorithm used for SQL logins isn't documented.

Why do you need it?

Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

We walk in the dark places no others will enter
We stand on the bridge and no one may pass

Steve Jones - SSC Editor SSC Guru Points: 734449 More actions · Answer 2

This isn't disclosed as it would be a security issue for the platform if someone were to be able to duplicate this.

SQL!$@w$0ME SSChampion Points: 12349 More actions · Answer 3

Is it SHA1 hashed algorithm used by default for sql user password, in sql 2005?

Gail Shaw SSC Guru Points: 1004504 More actions · Answer 4

GilaMonster (9/22/2014)
The algorithm used for SQL logins isn't documented.

Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

We walk in the dark places no others will enter
We stand on the bridge and no one may pass

SQL!$@w$0ME SSChampion Points: 12349 More actions · Answer 5

http://sqlity.net/en/2460/sql-password-hash/

This article says sha1 from sql2000 and sha_512 from sql 2012.

Steve Jones - SSC Editor SSC Guru Points: 734449 More actions · Answer 6

SQL!$@w$0ME (9/23/2014)
http://sqlity.net/en/2460/sql-password-hash/
This article says sha1 from sql2000 and sha_512 from sql 2012.

That may be true. It hasn't been documented AFAIK or disclosed by MS, but perhaps it is SHA2_512. That would have been the current recommended hash algorithm when 2012 was being developed. Today I'd say SHA3 is better suited.

Mike C SSC-Insane Points: 23224 More actions · Answer 7

On SQL 2005, 2008, 2008R2 the password is hashed using SHA-1 hashing algorithm with salt. The result is a varbinary string with 0x0100 in the first two bytes. The salt is stored in the next 4 bytes. The hash value is stored in the remainder of the varbinary string.

On SQL 2012 and above the password is hashed using SHA-512 hashing algorithm with salt. The result is a varbinary string with 0x0200 in the first two bytes. The salt is stored in the next 4 bytes. The hash value is stored in the remainder of the varbinary string.