tags:

views:

304

answers:

3
+1  Q: 

SQL Profiler 2008 - Shows Passwords

I have just noticed that Sql Profiler 2008 is not hiding trace outputs that include sp params called password. In 2005 it used to give me a message saying "The text has been replaced with this comment for security reasons".

Has they removed this security feature?

A: 

But if you pass your passwords as parameters, it should display it. The solution should be storing passwords encrypted at database. By this solution you'll need to pass your passwords encrypted.

Canavar  2009-07-22 09:09:42
I am no sql expert however I thought if the trace found the word password it would auto hide and show the security message instead?
redsquare  2009-07-22 09:14:57
I think it's your design choice. What if you're storing your passwords in a field like PassCode ? You decided to store your passwords clear in your database, so it shouldn't prevent them. If they are valuable, you should know that someone (who can trace your database) can access them easily by selecting your table.
Canavar  2009-07-22 12:33:44
A: 

Yes, it did use to automatically filter out "password" in Profiler, I believe this was a feature added in maybe in SQL Server 2000 SP4 but I've seen a number of people wanting to switch this off as it was filtering out instances that they actually wanted to see. So whether MS have removed it/made that functionality switchable I'm not sure - can't seem to find anything on it for 2008 atm.

Edit: I can't find any information on this regarding 2008. Everything I can find relates to people wanting to do the opposite - in sql 2000/2005, switch that "feature" off, for which the solution has been to replace use of "password" parameter with an alternative name like "pwd".

AdaTheDev  2009-07-22 09:20:23
It was introduced in SQL Server 2000 SP4. Apparently, the only way to remove it from *that* version is via patching of the exe file! (Yikes!) See Here: http://www.andreabertolotto.net/Articles/SP4BlacklistedWordsRemover.aspx
CraigTP  2009-07-22 09:37:16
+1  A: 

There is a difference between trapping the string "password" and genuine security holes.

Try this:

CREATE LOGIN foo WITH PASSWORD = 'bar'

In SQL 2005 profiler:

--*CREATE LOGIN-----------------------

Security is maintained.

Now, if you're sending dynamic SQL to a password columns...

gbn  2009-07-22 09:38:45
yup, thankfully not my app. I was profiling looking for perf issues and found this inside legacy app of the clients.
redsquare  2009-07-22 09:41:52

related questions

Backup SQL Schema Only?
Sql to query a dbs scheme
Timer-based event triggers
Sql query, count and group by
Paging SQL Server 2005 Results
SQL 2005 For XML Explicit - Need help formatting
How do I use T-SQL Group By
What all do I need to escape when sending a (My)SQL query?
Split String in SQL
Datatable vs Dataset
ASP.NET MVC "CRUD" Database Sample
Convert HashBytes to VarChar
Best Book for a new Database Developer
What is the best way to avoid SQL injection attacks?
What language do you use for Postgresql triggers and stored procedures?
What is the best way to handle multiple permission types?
How do I index a database field
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
Is there a version control system for database structure changes?
How to export data from SQL Server 2005 to MySQL
ASP.NET Site Maps
Decoding T-SQL CAST in C#/VB.net
Flat File Databases in PHP