When the management of the internal SQL Server account and password, it is easy to think that everything is quite safe. After all, your SQL Server system is protected inside a firewall, but also the protection of Windows authentication, all users need a password to enter. This sounds very safe, especially when you do that all the time. Can in fact, it is not so safe as we thought.
Here we list some of the SQL Server password is very dangerous to judge:
No password testing program
When conducting the test, began to try to crack the code directly would be a big mistake. Whether you are testing locally or through the Internet, strongly suggest that you get permission, and that account is locked after a rollback plan. Finally you have to do is to ensure that the account is locked, the user can operate the database and connected applications will not work correctly.
Through the Internet, the password is still safe
Achieved through a hybrid method for SQL Server, you can easily through a number of analysis software (such as OmniPeek, Ethereal) immediately caught it from the Internet password. Meanwhile, Cain and Abel can be used to capture the password based on TDS. You might think that within the network switch can be avoided by this issue? However, Cain's ARP poisoning routing can easily hack it. In about a minute, this free software you can break your switch and see the local network's internal data exchange, to help other software easier to crawl password.
In fact, the problem did not stop there. Some misunderstanding that in SQL Server using Windows authentication is very secure. However, it is not. The software can also quickly caught from the Internet Windows, Web, e-mail and other related password to gain access to SQL Server.
By using the password policy, we can not test the password
No matter how severe your password policy, but always have some way to bypass it. Example, there is now a server is not configured a Windows extraterritorial host, SQL Server, or an unknown number of special tools, they can break the strongest password. These things can take advantage of the weakness of your password and your code policy is ineffective.
Also, equally important is that some test results may be that because your password has been very strong, your database is safe, but you do not gullible. Must test and verify what your password is still defective. Although you may think all is well, but in fact you may drop off something.
You only need to worry about your primary database server
Since the SQL Server password is not regained, that if I knew he was strong, very safe, why should I break him?
In fact, SQL Server password is to regain the. In SQL Server 7 and SQL Server 2000, you can use something like Cain and Abel or charges NGSSQLCrack this tool to obtain the password hash table, and then break through the violence of their attacks. These tools allow you to password SHA hash of the SQL Server table for reverse engineering. Although the break can not guarantee results, but it really is a weakness of SQL Server.
Microsoft Baseline Security Analyzer is used to eliminate a tool for SQL Server vulnerabilities, but he is not perfect, especially in regard password cracking. For in-depth SQL Server and Windows password cracking, we need to use third-party software, such as free SQLat and SQLninja (can be found in the SQLPing 3) and the Windows password cracking tools, such as ElcomSoft's Proactive Password Auditor and Ophcrack.
In addition, using the SQL Server using Windows authentication does not mean that your password is safe. Some people just learn how to crack Windows passwords, spend some time in, you can crack your password and control the entire network. In particular, if they use the <> Ophcrack's LiveCD to attack a physically insecure Windows hosts, such as laptop computers or easy to reach the server, it will become easier.
You only need to worry about your primary database server
It is easy to focus attention on their SQL Server systems, but ignores the network may have MSDE, SQL Serve Express, and other possible procedures for SQL Server. These systems may be unsafe to use the default settings, or simply no password. Through the use of such tools SQLPing 3 to the database server to attack these systems, you will easily be broken.
IT, like everything else, you always struck down by some of the details. If you can abandon the right to judge the risk of SQL Server password, you will improve your SQL Server security.