|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: NGSSoftware Insight Security Research (nisr
nextgenss.com)Date: Mon Jul 08 2002 - 09:32:47 CDT
Hi all,
I've written a paper on how users' passwords, or rather their hashes, are
stored in Microsoft's SQL Server. The paper discusses the manner in which
they are hashed and how they can be more easily brute forced as two hashes
are stored: a case sensitive password hash and an upper case password hash
are produced. Needless to say, when auditing password strength, it is far
easier to go after the UPPER cased version. The paper contains also contains
some demonstration source code for performing a dictionary based audit
against the hashes and NGSSoftware have produced an optomized GUI based
tool, as well.
Microsoft's SQL best practices dictate that SQL logins should not be used in
favour of native Windows Authentication using an operating system account,
but we recognize that often consumers of SQL Server do not often want to do
this. (With a Windows account people have access to other operating system
services as well as SQL Server, but with just an SQL login they should only
be able to access the SQL Services. The latter is the 'more safe' option in
the author's opinion)
Anyway, you can get the paper in the researcher section of the NGSSite
http://www.nextgenss.com/ .
Cheers,
David Litchfield
NGSSoftware Ltd
+44(0)208 401 0070
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]