COMMAND

	SQL Server users passwords cryptanalysis whitepaper and tool

SYSTEMS AFFECTED

	SQL 7, 2000 and other ?

PROBLEM

	David Litchfield of  NGSSoftware  Insight  Security  Research  posted  a
	whitepaper and tool that expose weakness in  the  encryption  scheme  of
	SQL server user\'s passwords.
	

	\" The paper  discusses  the  manner  in  which  they  are  hashed  (the
	passwords) and how they can be more easily brute forced  as  two  hashes
	are stored: a case sensitive password hash and an  upper  case  password
	hash are produced. Needless to say, when auditing password strength,  it
	is far easier to go after the UPPER cased version.  The  paper  contains
	also  contains  some  demonstration  source  code   for   performing   a
	dictionary based audit against the hashes and NGSSoftware have  produced
	an optomized GUI based tool, as well. \"
	

	Get it from :
	

	http://www.nextgenss.com/papers/cracking-sql-passwords.pdf

	http://www.nextgenss.com/products/ngssqlcrack.html

	

	

	

	 Update (10 July 2002)

	 ======

	

	Toni Lassila [toni.lassila@mc-europe.com] comments on :
	

	An added weakness that has not  been  widely  noted:  If  you  select  a
	case-insensitive collation for your SQL Server  installation,  the  user
	accounts and passwords will be case  insensitive  as  well.  This  means
	there is a good  chance  any  given  SQL  Server  will  have  very  weak
	passwords.
	

	You can verify if you are operating with case-insensitive  passwords  by
	running this query:
	

	Select SERVERPROPERTY(N\'Collation\')

	

	If the name of the collation setting contains \'CI\' instead of  \'CS\',
	all your SQL login passwords are case-insensitive.
	

	

	 Update (15 July 2002)

	 ======

	

	Patrik Karlsson has released a decoder under GPL (Linux & Win32 ) :
	

	

	http://www.cqure.net/tools10.html

	

SOLUTION

	?