locked
Is it possible to reveal the sql server login password ? RRS feed

  • Question

  • Hi,

    Is it possible to reveal the login password (SQL 2005 & 2008) via a hacking tool or some extended stored procedures ? Assuming that I've the access to master db.

    TIA.

    DL 

    Tuesday, September 15, 2009 10:01 AM

Answers

  • Hi,

    you cannot. As far as I know, only dictionary attack can be done as the password hash stored.

    for example: you can check if there is any user with no password or the password is {password} - second sample.

     

    --empty passwords
    select * from sys.sql_logins where pwdcompare('', password_hash) = 1
    select * from sys.syslogins where pwdcompare('', password) = 1
    -- password is password
    select * from sys.sql_logins where pwdcompare('password', password_hash) = 1
    select * from sys.syslogins where pwdcompare('password', password) = 1

     

     

     


    I hope it helps.
    Janos


    A train station is where a train stops. On my desk I have a workstation :)
    Tuesday, September 15, 2009 12:28 PM