SQL Auth passwords in Enterprise Manager

  • If a user has defined a login in SQL Enterprise Manager using SQL Auth there is a way to get the passwords. Go to Hybridx.com and view the XTip of the week. I have a zip file you can download with VB code that will demonstrate a way to view passwords. This is NOT meant as a hack, but to point out a security hole that needs to be patched. I have written Microsoft 3 times over the last 3 years but they seem to ignore me.

    Rob Vallee

    Hybridx.com

  • It sounds like you have to get the executable to run on the DBA's computer (or anyone who creates logins) for this to really be effective. Is that correct? If so, that seems like a remote possibility.

  • ecpasos,

    You are correct to a point. This example does not show how to do it remotely.

    I was able to produce a scenario here with the following:

    I changed the icon for sps.exe to the IE icon. Then I copied the sps.exe to

    my backup DBA's machine (without his knowledge). Changed his link from the

    IE icon on his desktop to the sps.exe

    When he tried to get on the net, he ran the app instead. After sps.exe made

    the file I changed his link back for IE and read the file with all the

    passwords. This of course was a controlled and staged test, but proves a

    point.

    Robert Vallee

Viewing 3 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic. Login to reply