locked
encryption/decryption RRS feed

  • Question

  • We have a SS2000 database. It is used as the backend for a website. One table has the user's login and passwords. The passwords look to be encrypted. Does SS2000 have the capability to encrypt the passwords or is that something that the application may have done? If it's possible for SS2000 to encrypt a column, is there any way to decrypt those passwords. The database is being moved to a new vendor and the intent is to move the data to an Oracle database.

    Thanks for your help.

    DanD

    Thursday, August 26, 2010 8:01 PM

Answers

  • Hi DanPD, 

    It is possible to encrypt your data in SQL Server, but you cannot decrypt the SQL encrypted data. 

    Please take a look at the following link.

    http://technet.microsoft.com/en-us/library/cc966453.aspx

     

    Friday, August 27, 2010 3:37 PM
  • No this article is not at decryption of the passwords. It's a brute force program to break the passwords. similar to:

    select name + ' - [PWD: qwerty]'
    from sys.sql_logins 
    where pwdcompare('qwerty', password_hash) = 1
    

    where the password 'qwerty' is tested. Don't think this is runnable on a sql2000 though there is code here: http://msmvps.com/blogs/gladchenko/archive/2005/04/06/41083.aspx for sql 2000.

    But all in all, this is only a brute force. It will not help you. I believe you need to assign/let users choose new passwords when you move to oracle. It might be so that oracle uses the same hash function to oneway decrypt passwords. If this is the case, then you ought to be fine to just migrate the data as it is. But I don't know if this is possible. Perhaps a fellow contributor here knows if this path is possible. It shouldn't be a too uncommon scenario.


    Regards Marten Rune Microsoft Certified IT Professional Database Administrator/Developer 2008
    Monday, August 30, 2010 10:03 AM

All replies

  • Hi DanPD, 

    It is possible to encrypt your data in SQL Server, but you cannot decrypt the SQL encrypted data. 

    Please take a look at the following link.

    http://technet.microsoft.com/en-us/library/cc966453.aspx

     

    Friday, August 27, 2010 3:37 PM
  • Hi DanPD, 

    It is possible to encrypt your data in SQL Server, but you cannot decrypt the SQL encrypted data. 

    Please take a look at the following link.

    http://technet.microsoft.com/en-us/library/cc966453.aspx

     


    I found an article that seems to say that you can. It's here - <cite>www.ngssoftware.com/papers/cracking-sql -passwords.pdf</cite> .

    Thanks Arbi.

    Friday, August 27, 2010 7:11 PM
  • DanPD, 

    If it works let me know. If they can 100% decrypt encrypted password, Microsoft has to close SQL Server project. 

    Thanks,

    Friday, August 27, 2010 8:15 PM
  • No this article is not at decryption of the passwords. It's a brute force program to break the passwords. similar to:

    select name + ' - [PWD: qwerty]'
    from sys.sql_logins 
    where pwdcompare('qwerty', password_hash) = 1
    

    where the password 'qwerty' is tested. Don't think this is runnable on a sql2000 though there is code here: http://msmvps.com/blogs/gladchenko/archive/2005/04/06/41083.aspx for sql 2000.

    But all in all, this is only a brute force. It will not help you. I believe you need to assign/let users choose new passwords when you move to oracle. It might be so that oracle uses the same hash function to oneway decrypt passwords. If this is the case, then you ought to be fine to just migrate the data as it is. But I don't know if this is possible. Perhaps a fellow contributor here knows if this path is possible. It shouldn't be a too uncommon scenario.


    Regards Marten Rune Microsoft Certified IT Professional Database Administrator/Developer 2008
    Monday, August 30, 2010 10:03 AM