I've logged in to my sqlserver with a registred "sa" sql account and
I want to print (not change) my current password. I can change it but I have an application using the current password.
I have done
select * from sys.sql_logins where name ='sa'
but it gives me a hashed password
If it is impossible, how to export my sa connection to another sql server instance?
WARNING - HORRIFIC PRACTICE
Change your application to use a user OTHER THAN sa, and preferably without sysadmin permissions. Usually database level db_datareader, db_datawriter, and MAYBE db_ddladmin is enough, though it may need a GRANT EXECUTE on the database.
If you can't, then argue some more. In writing.
If you lose again, go change the sa password to a long, strong, cryptographically random password in concert with the application being updated with a new password.
And make sure that instance is used ONLY for that app, so the risk is limited to that one area.
Recovering the current sa password
First, you are a sysadmin, aren't you? You should already know the sa password! If you lost twice, just change the sa password on the other instance to that same one (or, better, change them both to something better), through ALTER LOGIN (below) or the GUI.
Second, realize that EVERY USER OF THAT APPLICATION CAN GET YOUR SA PASSWORD - they can almost certainly extract it right out of the application with a hex editor, looking for the string pwd or pass (either UCS-2 "Unicode" or ASCII).
You have the application, right? Consult your local security admins, and see if you're allowed to open it up in a hex editor and find the sa password yourself.
Moving the sa password
In general, if you want to move the same password around, you can use
ALTER LOGIN sa PASSWORD = 'hash string' HASHED
to change it.
Do not do this regularly - if someone gets hashes of all your passwords (just like you're getting them), it's better that each one have a unique salt, so the attacker has to spend more work testing against many salts before they start finding passwords.
Do not do this from lower protection to higher protection - SQL Server 2005, 2008, and 2008R2 all use the same algorithm. SQL Server 2012 and 2014 use the same. Don't move a 2005/8/8R2 hash to 2012/14; it's significantly weaker (and 2012/14 password hashing is pathetic to begin with).
Thus, you're better off changing the password to what you want in cleartext, so SQL Server generates a new salt. The password hash is incredibly weak, a single iteration of SHA-1 or SHA-512, so it needs all the help it can get.
Related
I am trying to run a script in powershell. It fails because, when it checks the system admin password in SQL Server 2012, the sa login is not recognised. I've changed the password to the sa account, through SSMS without error, to what it should be (according to the company's instruction). All applications, powershell and SSMS were run as administrator.
So what I want to do is establish that the password has changed to the password I set it to. I realize that this is the system admin password so, in normal practice, this shouldn't be easy to find. Even if there is a query against system tables, I suspect it'll be encrypted anyway.
But I need to see that my change has worked or not to establish that the script is failing because of my change or some other reason.
In short, how do I look up the sa password in sql server without compromising security?
There's no way to look at the password, because that would be horrible security-wise. What you could do is check to see if the password matches the hash by running the PWDCOMPARE function like this:
SELECT case when PWDCOMPARE(N'WhatIThinkThePasswordIs',[password_hash])=1 THEN 'Match' ELSE 'No Match' END
FROM sys.sql_logins
WHERE name='sa'
When using MS SQL Server, I keep trying to create more logins for the server with their own passwords however as soon as the login has been created, I go back to look at the login settings and see that the password has been reset to some mysterious 15 character password.
As you can imagine, this basically makes the login unusable. I've seen other cases similar to this specifically for the "sa" login however nothing on the creation of custom logins.
I've tried unchecking the "User must change password at next login", "Enforce password expiration", and "Enforce password policy" checkboxes but this has no effect. The one thing that does work is using no password at all, but obviously this is a huge security risk.
MS SQL Server never store your password for security reason. MS SQL Server store only the HASH of your password.
Therefore settings form can't shown the password. Instead it shows
some mysterious 15 character.
I have a password protected PostgreSQL database (running on windows) which has been accessed by an unauthorized person several times using this simple trick as described here:
Stopping PostgreSQL Windows service
Changing md5 to trust in pg_hba.conf file
Starting Windows service
Accessing database via pgAdmin without a need of password
Is there any way to block this mechanism? I've been thinking about multiple windows users (there's only one administrator account on the machine right now) with limited file change privileges, but I am worried about database functionality and I would prefer a little bit more straight-forward solution.
UPDATE
Thank you all for your responses, they were all very helpful.
It's obvious to me now the user accounts are the way - probably the only right way at all.
Indeed the way to solve the problem is not by looking into PostgreSQL, but by looking into your Windows security. Once someone gains administrator privileges, there is nothing which stops the person from changing anything - this includes your PostgreSQL settings. Even if you set a database password and set proper permissions for the pg_hba.conf file, the unauthorized person can still change the permissions back, or start the database in single user mode (no password required) and modify the passwords.
Create separate Windows user accounts, protect the Admin with a password, and stop using the Admin account for day-to-day work.
Perhaps change all your users to limited. Create a user called postgres thats also limited and set it so that that its the only user that can read/write its own files. You will have your administrator account, that still can do whatever you want to do. Now run the postgres service as the user postgres and youre done.
... and stop giving people your admin password -- you should be fine ;)
The title says it pretty well: I can access my SQL Server from the internet, and my users are configured with strong passwords to access only their respective DBs.
But I receive 10000+ login attacks by day with the user "sa".
I don't need "sa" remote access, how to disable it, and only it?
Thank you!
Security practices by Microsoft and industry state if use SQL authentication to rename the sa account and disable it. There is really no reason to use that account explicity for an application or admin account. Most companies require tracability when it comes to security and use of the sa account in SQL server does not allow for that.
Even if you disable or rename it you will still see attacks coming in for that account, it comes with the territory. The same thing occurs with the default login Oracle has in their product. Script kiddies and other hacking programs are just programmed to check for those type of accounts.
A better option might be to report where the attacks are coming from on the network side to your network team or ISP. They will be able to better handle that to block that traffic through the network layer. Just my opinion.
Perhaps this might help: in conjunction with this:
As far as i know SQL Server lets you diable single sql server logins, but that means the login is disabled in general, regardless of the machine the user is trying to connect from. So you either disable "sa" in general or you'll have give the login a really strong password. You might be able to emulate the desired behavior by using a logon trigger, that checks where the user connects from, if the user is "sa", but i think that's not a viable solution for you, since you seem to be wanting to get rid of the many connection attempts from attacks. In any case, you might want to remove "sa" from the server role "sysadmin" to guard against a potentially successful login attemt.
Is it possible to retrieve (if the user has sa rights) the password of a user in SQL Server 2008 R2?
The scenario is this: I need to automatically store in a document the list of all usernames and passwords, but without changing the password, just reading the actual password.
Is this possible or not?
Yes you can for SQL logins.
You read the hashed passwords sys.sql_logins (maybe only via the DAC) and use a tool like NGS SQLCrack.
However, there is almost no requirement ever to keep these in a document.
For Windows based logins, no. The password is in AD.
And read this: "What are the arguments for and against a network policy where the sys admin knows users passwords?"