October 24, 2008 at 8:46 am
I have done some searching around Goog and haven't really found an answer.
In SQL 2000 and 2005 individually, are passwords sent in clear text over the network out of the box? I know that you can encrypt the trans using SSL, but what is it by default? Also, this question is gear more toward NOT using Windows Authenticated Accounts; strictly SQL Auth accounts.
Thanks!!
October 24, 2008 at 11:27 am
I think I might of "out googled" you... lemme know if this is the info you're looking for
( credit: http://www.ngssoftware.com/papers/tp-SQL2000.pdf )
When a user connects to an SQL Server and authenticates as an SQL login, as
opposed to a Windows NT/2000 user, their login name and password are sent
across the network wire in what is tantamount to clear text. The
'encryption' scheme used to hide the password is a simple bitwise XOR
operation. The password is converted to a wide character format, or UNICODE,
and each byte XOR'd with a constant fixed value of 0xA5. Of course, this is
easy to work out because every second byte of the 'encrypted' password on
the wire 0xA5 and we know that the password is in UNICODE with every second
byte being a NULL and when any number is XOR'd with 0 (or NULL) the result
is the same: 0x41 xor 0x00 = 0x41, 0xA5 xor 0x00 = 0xA5."
Thanks
Colin
October 24, 2008 at 11:48 am
I know that in SQL Server 2000 w ODBC SQL Logins were not encrypted. I am not sure if that is still true for SQL Server 2005 and/or ADO.net as I thought that there were some new options to handle this.
[font="Times New Roman"]-- RBarryYoung[/font], [font="Times New Roman"] (302)375-0451[/font] blog: MovingSQL.com, Twitter: @RBarryYoung[font="Arial Black"]
Proactive Performance Solutions, Inc. [/font][font="Verdana"] "Performance is our middle name."[/font]
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply