Hi all, I've written a paper on how users' passwords, or rather their hashes, are stored in Microsoft's SQL Server. The paper discusses the manner in which they are hashed and how they can be more easily brute forced as two hashes are stored: a case sensitive password hash and an upper case password hash are produced. Needless to say, when auditing password strength, it is far easier to go after the UPPER cased version. The paper contains also contains some demonstration source code for performing a dictionary based audit against the hashes and NGSSoftware have produced an optomized GUI based tool, as well. Microsoft's SQL best practices dictate that SQL logins should not be used in favour of native Windows Authentication using an operating system account, but we recognize that often consumers of SQL Server do not often want to do this. (With a Windows account people have access to other operating system services as well as SQL Server, but with just an SQL login they should only be able to access the SQL Services. The latter is the 'more safe' option in the author's opinion) Anyway, you can get the paper in the researcher section of the NGSSite @ http://www.nextgenss.com/ . Cheers, David Litchfield NGSSoftware Ltd +44(0)208 401 0070
This archive was generated by hypermail 2b30 : Mon Jul 08 2002 - 11:50:13 PDT