Unfortunately changing the collation to case sensitive means that all the stored procedures and direct sql queries need to be case sensitive as well. Meaning that for example creating a table "Customer" and referencing to it with "customer" in sql query will produce an error. So when changing to case sensitive collation make sure that all the procedures and sql queries (including any sql scripts which create a database and its tables and so forth.) are checked on non-production database before proceeding. Pauli Porkka/PrettyBit Software Oy pauli.porkkaat_private www.prettybit.fi -----Original Message----- From: Toni Lassila [mailto:toni.lassila@mc-europe.com] Sent: 9. heinäkuuta 2002 8:55 To: NGSSoftware Insight Security Research Cc: bugtraqat_private Subject: RE: New Paper: Microsoft SQL Server Passwords > -----Original Message----- > From: NGSSoftware Insight Security Research > [mailto:nisrat_private] > Sent: Monday, July 08, 2002 17:33 > To: bugtraqat_private > Subject: New Paper: Microsoft SQL Server Passwords > > > Hi all, I've written a paper on how users' passwords, or > rather their hashes, are stored in Microsoft's SQL Server. > The paper discusses the manner in which they are hashed and > how they can be more easily brute forced as two hashes > are stored: a case sensitive password hash and an upper case > password hash are produced. Needless to say, when auditing > password strength, it is far easier to go after the UPPER cased > version. An added weakness that has not been widely noted: If you select a case-insensitive collation for your SQL Server installation, the user accounts and passwords will be case insensitive as well. This means there is a good chance any given SQL Server will have very weak passwords. You can verify if you are operating with case-insensitive passwords by running this query: Select SERVERPROPERTY(N'Collation') If the name of the collation setting contains 'CI' instead of 'CS', all your SQL login passwords are case-insensitive. To remedy this is not a simple task, though. I quote from BOL: "After a collation has been assigned to any object other than a column or database, you cannot change the collation except by dropping and re-creating the object. This can be a complex operation. To change the default collation for an instance of Microsoft® SQL Server(tm) 2000 you must: Make sure you have all of the information or scripts needed to re-create your user databases and all of the objects in them. Export all of your data using a tool such as bulk copy. Drop all of the user databases. Rebuild the master database specifying the new collation. Create all of the databases and all of the objects in them. Import all of your data." > this. (With a Windows account people have access to other > operating system services as well as SQL Server, but with just > an SQL login they should only be able to access the SQL > Services. The latter is the 'more safe' option in the author's > opinion) With this I simply disagree. -- Toni Lassila toni.lassila@mc-europe.com Operations Engineer +358 9 5655 1882
This archive was generated by hypermail 2b30 : Wed Jul 10 2002 - 21:32:59 PDT