syslogins / sysxlogins retreive password

  • Is there any way to decrypt the password field in Syslogins table or sysxlogins view.

    i have a user that has forgotten his password, but has many reports and processes from 3rd party aplications that have this password cached.

    changing the password is (according to the user) not an option.

    however i'm feeling vindictive and may just tell him it can't be done.

    MVDBA

  • If he has used a strong password, indeed it can't be done. In sysxlogins it is stored only a one-way hash of the password, therefore it is not possible to retrieve the password by other methods than brute-force or dictionary attack.

    If he has used a weak password, you could try to break it using SQLCrack from NGSSoftware:

    http://www.nextgenss.com/sqlcrack.htm

    But be prepared to wait some hours/days/weeks/(...) if you have a long password.

    Razvan

  • The password field is actually two hashes, one of which is the password in all uppercase. That's how SQLCrack and NGSSquirrel are able to brute force the password faster. They just compare against the upper-case version, then solving the exact case.

    One of the simpler things to do is if you have the authorization to use a network sniffer, have one running, then have him connect using one of these reporting apps with the cached password. Find the login packet and decrypting the password is trivial. One of my articles talks about the method of "encryption" and references the original literature on the subject both for the password hash and the weak encryption on the wire.

    Login Weaknesses article

    K. Brian Kelley
    @kbriankelley

Viewing 3 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic. Login to reply