locked
Decrypting Password of SysxLogins Table - SQL Database. RRS feed

  • Question

  • Hi,

        Is there any way of decrypting password value stored in sysxlogins table of SQL database?

    Thx in Adv

     

     

    Thursday, December 15, 2005 12:12 PM

Answers

  • This is a SQL Server 2000 table that is no longer available in SQL Server 2005. The password value normally contains a SHA1 hash of the password (unless the password is for a login created in a previous version and maintained through upgrade to SQL Server 2000). If the value is NULL and the login is a SQL login, it means that the password is empty. Otherwise, to determine the password, you would have to do a brute force attack on the hash. If the password is weak, a brute force attack will be quite successful, so it's very important to have strong passwords.

    In SQL Server 2005, password strength can be enforced on Windows 2003 systems to follow the Windows password policy settings. Also, these password hashes can only be seen by a sysadmin now. Furthermore, empty passwords cannot be as easily identified, they have a hash as well rather than showing up as NULL.

    Thanks

    Laurentiu

    Thursday, December 15, 2005 6:43 PM

All replies

  • This is a SQL Server 2000 table that is no longer available in SQL Server 2005. The password value normally contains a SHA1 hash of the password (unless the password is for a login created in a previous version and maintained through upgrade to SQL Server 2000). If the value is NULL and the login is a SQL login, it means that the password is empty. Otherwise, to determine the password, you would have to do a brute force attack on the hash. If the password is weak, a brute force attack will be quite successful, so it's very important to have strong passwords.

    In SQL Server 2005, password strength can be enforced on Windows 2003 systems to follow the Windows password policy settings. Also, these password hashes can only be seen by a sysadmin now. Furthermore, empty passwords cannot be as easily identified, they have a hash as well rather than showing up as NULL.

    Thanks

    Laurentiu

    Thursday, December 15, 2005 6:43 PM
  • Hi,

    I was questioned by my Security Team whether the password in SQL Server 2005 syslogin table may be hacked.

    Currently is there any tool or function that can decrypt the hashed password into human readable format ?

    Please enlighten me with links if possible.

    Thanks ! 

    DL
    Monday, September 14, 2009 8:01 AM
  • I know this an old thread, but I felt the need to contribute this link to answer the question this topic is answering. The link should answer all questions related to this issue. http://hkashfi.blogspot.com/2007/08/breaking-sql-server-2005-hashes.html
    • Proposed as answer by Matthanielcm Friday, July 29, 2011 6:42 PM
    Friday, July 29, 2011 6:42 PM