Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Categories

storing passwords

jiljil Member Posts: 30
Microsoft SQL server version 7.0
---------------------------------
I have to find out a way..where in the login id and passwords can be stored
in more secured way..
I browsed the netb and found out the following information..does this apply to sql server 7.0 ?
"
Passwords are stored in the sysxlogins table in encrypted form.SQL Server uses an undocumented function, pwdencrypt() to produce a hash of the user's password, which is stored in the sysxlogins table of the master database.

When a user attempts to authenticate to SQL Server several things happen to do this. Firstly SQL Server examines the password entry for this user in the database and extracts the "salt" - 84449305 - in the example. This is then appended to the password the user supplies when attempting to log in and a SHA hash is produced. This hash is compared with the hash in the database and if they match the user is authenticated - and of course if the compare fails then the login attempt fails.

The user's password is converted to it's UNICODE version if not already in this form.The salt is then appended to the end. This is then passed to the crypt functions in advapi32.dll to produce a hash using the secure hashing algorithm or SHA. The password is then converted to its upper case form, the salt tacked onto the end and another SHA hash is produced."

This methodos storing is adopted by SQL server..
in this method...hacking the passwords sounds so easy!
so..

Can someone suggest a better way for storing the passwords and the login information..
storing it in teh registry is also not safe .,I guess!
thank u..

Comments

  • HackmanCHackmanC Member Posts: 441
    Anyway the first thing that sql ask in network language is:
    give me your password upper this line here please: _______
    if you cant send the correct password encripted by interprocess comunication version pipes or tcpip then you dont login. BUT, if you go by Troyan's then you can even dump the database, the registry and the hole file system if you like and have the security permissions, ie you are running like an admin. So use your best algorithm, or use the bullet proof SHA, or PGP, or any other, a the same time is very important to NOT let the doors open. From there... you are secure, for the moment, je, je, je, lol. (just kidding).

    : Microsoft SQL server version 7.0
    : ---------------------------------
    : I have to find out a way..where in the login id and passwords can be stored
    : in more secured way..
    : I browsed the netb and found out the following information..does this apply to sql server 7.0 ?
    : "
    : Passwords are stored in the sysxlogins table in encrypted form.SQL Server uses an undocumented function, pwdencrypt() to produce a hash of the user's password, which is stored in the sysxlogins table of the master database.
    :
    : When a user attempts to authenticate to SQL Server several things happen to do this. Firstly SQL Server examines the password entry for this user in the database and extracts the "salt" - 84449305 - in the example. This is then appended to the password the user supplies when attempting to log in and a SHA hash is produced. This hash is compared with the hash in the database and if they match the user is authenticated - and of course if the compare fails then the login attempt fails.
    :
    : The user's password is converted to it's UNICODE version if not already in this form.The salt is then appended to the end. This is then passed to the crypt functions in advapi32.dll to produce a hash using the secure hashing algorithm or SHA. The password is then converted to its upper case form, the salt tacked onto the end and another SHA hash is produced."
    :
    : This methodos storing is adopted by SQL server..
    : in this method...hacking the passwords sounds so easy!
    : so..
    :
    : Can someone suggest a better way for storing the passwords and the login information..
    : storing it in teh registry is also not safe .,I guess!
    : thank u..
    :
    :

    [red]Good luck![/red]
    [blue]Hackman[/blue]

Sign In or Register to comment.