Is there a way to view the password of non-sysadmin accounts on SQL Server 2016?
I'm a database admin. I can simply change the password for the user, but I'd love to know if there is a way I can retrieve the password without resetting it.
In SQL Server user and login passwords are never stored; they are hashed. When a user logs in by presenting a password, that password is hashed and compared to the stored hash.
Related
When we create the datasource in the reporting service, we need to assign the account to connect to that datasource, either windows, sql user.
If we choose sql user, we wonder that where is the password of sql user is stored. Or does it encrypt with any algorithm?
Can I refer to any official document regarding this issue?
The details are stored in the dbo.DataSource table. The Username and Password are stored in the UserName and Password columns respectively and are encrypted, as is the ConnectionString column. An end user would not be able to decrypt it, unless they obtained the decryption key used internally by SSRS.
When using MS SQL Server, I keep trying to create more logins for the server with their own passwords however as soon as the login has been created, I go back to look at the login settings and see that the password has been reset to some mysterious 15 character password.
As you can imagine, this basically makes the login unusable. I've seen other cases similar to this specifically for the "sa" login however nothing on the creation of custom logins.
I've tried unchecking the "User must change password at next login", "Enforce password expiration", and "Enforce password policy" checkboxes but this has no effect. The one thing that does work is using no password at all, but obviously this is a huge security risk.
MS SQL Server never store your password for security reason. MS SQL Server store only the HASH of your password.
Therefore settings form can't shown the password. Instead it shows
some mysterious 15 character.
I have a contained database with users authenticated in the database only (i.e. SQL user with password). What I am looking to do is the "uncontain" the database. Before I can change alter the database to containment 'NONE', I must remove all contained users. What I really want to do is create a SQL login for the user retaining the same password.
With a server login, I can use LOGINPROPERTY('myusername', 'PasswordHash') to get the password hash. For a SQL user with password (a contained user), this returns null. Where can I get the password hash for a contained user?
This article has the answer http://sqlblog.com/blogs/argenis_fernandez/archive/2014/07/28/scripting-out-contained-database-users.aspx
The article states that for contained database users, there is (currently) no method of obtaining SID or password hashes without connecting to the DAC (Dedicated Administrator Connection). Once you establish a DAC connection, the following query will give you the password hash:
SELECT password FROM sys.sysowners WHERE name = 'ContainedUser'
For information on how to connect get a DAC with SSMS, see https://technet.microsoft.com/en-us/library/ms178068(v=sql.105).aspx
Have you tried the sp_help_revlogin stored procedure?
I've created a default MVC 4 project with login authentication
When I register for an account with password: 123456
Why is it stored in the SQL database as: ALWsAlpVTehuGr7W2jaGwoX3Ww0RE5GC+yYDITvCpCdHmIIrX7vwMoTW3cEbMsGd4w==
If so, how does it compare the 2 strings to check whether the password entered is correct?
By default when passwords are stored in an SQL database they are encrypted. When you try logging in again the password will be encrypted before the authentication attempt, then this encrypted password will be compared to the one stored in the database.
It is disturbingly common for companies databases to become compromised. Imagine if a hacker got a copy of your database and right there was everyone's usernames and passwords in plain text. Most people use the same password for multiple sites so imagine the repercussions. Whereas if the hacker only has the encrypted passwords there is no way to reverse the salt and get the original plain text passwords out.
Is it possible to retrieve (if the user has sa rights) the password of a user in SQL Server 2008 R2?
The scenario is this: I need to automatically store in a document the list of all usernames and passwords, but without changing the password, just reading the actual password.
Is this possible or not?
Yes you can for SQL logins.
You read the hashed passwords sys.sql_logins (maybe only via the DAC) and use a tool like NGS SQLCrack.
However, there is almost no requirement ever to keep these in a document.
For Windows based logins, no. The password is in AD.
And read this: "What are the arguments for and against a network policy where the sys admin knows users passwords?"