Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
WindChaser
Posting Yak Master
225 Posts |
 Posted - 2012-03-24 : 13:20:01
|
| Hi folks,This was asked in another thread which was deviating from the original topic, so I'm posting here instead where it is probably more appropriate.1. Does anyone know if there are there any tools that you can buy straight off the market to crack a SQL Server login password? 2. Can you easily hire a SQL Server wiz off the net to crack data? 3. Does one have to be a rogue Microsoft SQL Server Development Team engineer to know how to hack a SQL Server? Basically, I just want to get a sense of whether any of my security measures (login password, disabling SA, encrypting data) can be effective, or if there are commercialized products or services out there which will basically counteract anything that I do! |
|
|
SwePeso
Patron Saint of Lost Yaks
30421 Posts |
Posted - 2012-03-25 : 09:00:35
|
There will always be product that will do this.What you can do, and should do, is to protect your data so that the cost (and/or the time) of getting the data is not worth it.
N 56°04'39.26"E 12°55'05.63" |
 |
|
|
WindChaser
Posting Yak Master
225 Posts |
Posted - 2012-03-26 : 13:59:55
|
| Of course, that's the whole idea. Actually, since posting this thread, I've found some tools online which basically render login security useless. So it seems that the last line of defence is encryption because there is no intermediate level of security, such at table-level.Now, in my case, the data is encrypted/decrypted using EncryptByPassPhrase/DecryptByPassPhrase by a compiled program (.exe). My understanding is that the passphrase is therefore not stored in SQL Server and that a hacker would have to decompile the program to get the passphrase. Is this correct or is the passphrase also store in the SQL Server encryption stack? |
|
|
|
russell
Pyro-ma-ni-yak
5072 Posts |
Posted - 2012-03-26 : 14:11:08
|
quote:
Originally posted by WindChaser
Of course, that's the whole idea. Actually, since posting this thread, I've found some tools online which basically render login security useless.
I very much doubt that.It is very difficult to crack a properly secured data center.The answers to your 3 questions:1. No such tool. There are dictionary programs though.2. No3. Hacking/Cracking is very difficult and nearly impossible when a site/DC/Server is properly secured. Learn how to harden your installation. |
|
|
|
russell
Pyro-ma-ni-yak
5072 Posts |
|
|
GilaMonster
Master Smack Fu Yak Hacker
4507 Posts |
Posted - 2012-03-26 : 15:20:25
|
| The main problem is that with the databases on a user's machine, not in a properly secured data center, you've lost most of the levels of security. It's trivial to bypass the login's password for someone who is local admin on the machine, and if the DB is installed on a client machine, it will be easy for someone to grab the data files off there.You can't harden the server (because it's not a server)You can't lock down the physical access to the server (because it's on someone's desk, not in a server room)You can't restrict logins to the server because the user probably has local admin and if he doesn't, the desktop support people will.You can't prevent someone walking off with the data files (because the machine is accessible and you can't use TDE on SQL Express)Hence you are depending completely on a password in the app and column-level encryption. Encrypt By Passphrase uses a TripleDES key behind the scenes for the encryption. Last record I heard for that was cracked in 17 hours. No, a clueless user is not going to know how to do that and I doubt there's an application available to automatically do it, but it's far from impossible.Also, if I decompile your app, am I going to find the password in plain text?If that data is sensitive, it should not be in a SQL Express database on a user's machine. Even if it's an app sold to clients, the database should be on a server in a secured server room and the server hardened according to all the recommended practices.Nothing is uncrackable, but the general rule is 'defend in depth', multiple layers of security so that if one is broken the others still protect the data--Gail ShawSQL Server MVP |
|
|
|
WindChaser
Posting Yak Master
225 Posts |
Posted - 2012-03-26 : 22:54:21
|
| Thanks for your comments and suggestions. Now, I have a better sense of what's out there and what the risks are. Thanks so much! |
|
|
|
|
|
|
|
|
How easy is it to hack a SQL Server?