Hi all, I've received many responses about my paper on SQL Server passwords http://www.nextgenss.com/papers/cracking-sql-passwords.pdf ] and how they are hashed, most of those responses being along the lines of 'but only sa can get the hashes so what is the use in knowing this?'. Well there are two things that should be noted here. Firstly it gives the SQL Server administrator a chance to audit their users' password strength. This is an oft use practice by system administrators. Secondly, and more importantly, a normal, low privileged user can exploit a vulnerability in SQL Server to gain access to the hashes. For anyone who has not read it yet I'd recommend reading Chris Anley's paper on 'runtime patching'. [ http://www.nextgenss.com/papers/violating_database_security.pdf ] This discusses a three byte [runtime] patch that makes every login equivalent to 'sa' by exploiting a buffer overrun vulnerability. In the wake of so many such vulnerabilities (pwdencrypt(), opendatasource(), openrowset(), etc., etc.) one should consider this as a potential threat. [Apply those patches a soon as possible!] Actually as a third and less likely option, if someone can access backup tapes etc this may also yeild the hashes. Cheers, David Litchfield
