Code Camps and Revisiting a Common Theme

re: Code Camps and Revisiting a Common Theme

Tom Cooley — Sat, 29 Sep 2007 22:22:35 GMT

Hi Adam,

I was one of the relative few who attended your session today on Errors & Exception handling. Nicely done, btw. I consider myself more of a business tier developer than anything, but I've never developed a business application of any substance that did not rely upon a database. I agree with your observation. Interacting with a database is easy. Interacting with a database well is not as easy. I believe many developers take the subtleties of working properly with things like transactions and defensive coding in the database for granted. I wish I had an answer for how to change that, but all I can suggest is that we continue to try to put the word out. Thanks for doing your part.

re: Code Camps and Revisiting a Common Theme

James Trela — Mon, 01 Oct 2007 13:20:07 GMT

Adam,

I attended your presentations at Code Camp 8. I was impressed with the complexity and design of the "sa" password you showed. To further this topic, here are links to :

Stored procedures (or functions) to find the sa password via brute-force or dictionary methods (note that the links to the code fail; perhaps the author can supply the stored procedures):

http://www.sqlservercentral.com/articles/Security/sqlserverpasswordauditing/869/

2002 paper on format of passwords in Microsoft SQL Server 2000, which are hashed and salted. The hash of the capitalized version of the password is stored, which simplifies a brute-force attack:

http://www.nextgenss.com/papers/cracking-sql-passwords.pdf

Wikipedia page on salting password hashes:

http://en.wikipedia.org/wiki/Salt_%28cryptography%29

Wikipedia page on precomputed rainbow tables for reverse lookup of hash to yield input password:

http://en.wikipedia.org/wiki/Rainbow_table

RC4, Rijndael encryption in a Stored Procedure via call to ActiveX:

http://www.sqlservercentral.com/articles/Security/rc4encryptioninastoredprocedure/1254/

jmtrela@yahoo.com

re: Code Camps and Revisiting a Common Theme

Adam Machanic — Mon, 01 Oct 2007 18:36:40 GMT

Hi James,

Thanks for the comment and the links, but I wonder if you're thinking of something else? Neither of my talks at the code camp dealt with passwords or hashing.

re: Code Camps and Revisiting a Common Theme

James Trela — Mon, 01 Oct 2007 19:32:19 GMT

Adam,

You're absolutely correct, your talks at the code camp didn't deal with passwords or hashing. I was just impressed by the length and complexity of the password in your example - punctuation characters, 0 (zero) for letter o (if I recall correctly). Although you used mixed casing, this paper says it doesn't make a difference in at least SQL Server 2000:

http://www.nextgenss.com/papers/cracking-sql-passwords.pdf

One way to improve password security is to use Unicode characters beyond the lower 256 (if SQL Server allows that). This complicates the search space for a brute force attack. This tip was given to me by Phil Motta of Chronos.