ansaurus

Question

How to decrypt a password from SQL server?

Answer 1

+7 A:

I believe pwdencrypt is using a hash so you cannot really reverse the hashed string - the algorithm is designed so it's impossible.

If you are verifying the password that a user entered the usual technique is to hash it and then compare it to the hashed version in the database.

This is how you could verify a usered entered table

SELECT password_field FROM mytable WHERE password_field=pwdencrypt(userEnteredValue)

Replace userEnteredValue with (big surprise) the value that the user entered :)

Svet 2008-10-06 06:33:03

how can I hash it?

sef 2008-10-06 06:39:10

run it through pwdencrypt.

nickf 2008-10-06 06:43:01

pwdencrypt() returns a different result after each call - you cannot compare a password by comparing two hashes made with pwdencrypt. Instead you have to use pwdcompare('plaintext psw', 'hashed psw') to correctly compare them.

Anheledir 2008-10-06 08:46:22

Answer 2

+1 A:

You cannot decrypt this password again but there is another method named "pwdcompare". Here is a example how to use it with SQL syntax:

USE TEMPDB
GO
declare @hash varbinary (255)
CREATE TABLE tempdb..h (id_num int, hash varbinary (255))
SET @hash = pwdencrypt('123') -- encryption
INSERT INTO tempdb..h (id_num,hash) VALUES (1,@hash)
SET @hash = pwdencrypt('123')
INSERT INTO tempdb..h (id_num,hash) VALUES (2,@hash)
SELECT TOP 1 @hash = hash FROM tempdb..h WHERE id_num = 2
SELECT pwdcompare ('123', @hash) AS [Success of check] -- Comparison
SELECT * FROM tempdb..h
INSERT INTO tempdb..h (id_num,hash) 
VALUES (3,CONVERT(varbinary (255),
0x01002D60BA07FE612C8DE537DF3BFCFA49CD9968324481C1A8A8FE612C8DE537DF3BFCFA49CD9968324481C1A8A8))
SELECT TOP 1 @hash = hash FROM tempdb..h WHERE id_num = 3
SELECT pwdcompare ('123', @hash) AS [Success of check] -- Comparison
SELECT * FROM tempdb..h
DROP TABLE tempdb..h
GO

Anheledir 2008-10-06 06:35:35

Answer 3

+8 A:

You realise that you may be making a rod for your own back for the future. The pwdencrypt() and pwdcompare() are undocumented functions and may not behave the same in future versions of SQL Server.

Why not hash the password using a predictable algorithm such as MD5 or SHA before hitting the DB?

Kev 2008-10-06 08:11:12

Or by `HASHBYTES('sha1', 'password')`.

Rabid 2010-08-04 12:24:08

Answer 4

+1 A:

A quick google indicates that pwdencrypt() is not deterministic, and your statement select pwdencrypt('AAAA') returns a different value on my installation!

See also this article http://www.theregister.co.uk/2002/07/08/cracking_ms_sql_server_passwords/

devio 2008-10-06 08:33:28

The pwdencrypt() method returns a different hash for each call - anyhow the pwdcompare() method can compare two hashes.

Anheledir 2008-10-06 08:44:44

Answer 5

+3 A:

You shouldn't really be de-encrypting passwords.

You should be encrypting the password entered into your application and comparing against the encrypted password from the database.

Edit - and if this is because the password has been forgotten, then setup a mechanism to create a new password.

Dynite 2008-10-06 09:24:40

ansaurus

tags:

views:

answers:

How to decrypt a password from SQL server?

related questions