views:

218

answers:

4

Hi, Using t-sql, how can i find if all SQL Logins have strong passwords on SQL 2000 and 2005 servers?

Any help, much appreciated.

Regards Manjot

+1  A: 

You can't! It's would be a security issue if you could identify weak passwords. You might want to force all users to change their passwords and enforce a password policy.

The cracker:

// pseudocode:
foreach (var username in 
   exec(@"SELECT username FROM hypothetical.fn_get_users_with_weak_passwords()"))
    PerformDictionaryAttack(username);

Not so good... ain't it?

Mehrdad Afshari
I have sys admin rights.And for audit purposes i need to find if a login has weak password.Isn't there anything to audit this?
Manjot
Manjot: no. It doesn't matter if you are sysadmin or not. Admins *can change passwords* but they can't see current ones.
Mehrdad Afshari
Well, to be more accurate, **officially** there's no way you could do this.
Mehrdad Afshari
there must be something, in this hope i will try to find the answer and if n when found post it here.Thanks for ur comments.
Manjot
Mehrdad Afshari
@Manjot: You clearly have no idea what a hash is. Mehrdad is spot on, and you're up a creek (also, stop trying to hack your own database servers). Please read up: http://en.wikipedia.org/wiki/Cryptographic_hash_function
Eric
Manjot
I think "enforce password policy' as @gbn said would be good for my job. Also: http://social.msdn.microsoft.com/Forums/en-US/transactsql/thread/aa0de02b-b59f-4ebf-a391-b95f5ed00347?prof=requiredThanks
Manjot
+1  A: 

I can't imagine an auditor who knows his/her stuff would ask you to check the strength of passwords in a database, as stated above, you can't query for passwords on a Db server no matter what your rights are. It's more likely they'll ask you what your process is for passwords and password strength.

Logins should be tied to a domain account, and the domain controller should have a profile in place that forces strong passwords, at least in the windows world.

For non users, i.e. web apps, reports etc, a functional account should be created at the domain level for the application, or better yet, for the group using the database.

For audit purposes this is basically how we do it, from an admin point of view it's much easier letting the windows domain controllers do their thing and handle the login side of things.

OhioDude
A: 

Yes, it's possible, kind of.

SQL 2005 can link into the group policy password policy. This means you can have SQL login passwords have the same length, expiration etc as your NT logins. Of course, if you have no policy there why are they concerned about SQL logins?

For both versions, you can use NGS Squirrel to brute force the password hashes. If you crack the passwords quickly (day? week? month?) then they're not good enough.

If you want a pure T-SQL solution you could emulate Squirrel by using the pwdencrypt function and a loop to run through all permutations.

Otherwise: no. You can only check a password by cracking it...

As it happens, we use domain service/system accounts all over: we have no SQL logins at all.

gbn
checking policy would be fine. Thanks for your comment.
Manjot
A: 

I think your best bet is to try a brute force approach using a good dictionary, SQL Ping 3 seems like it would do the job.

Si