| Author |
Messages |
|
mwchub (guest)
 |
| 04/23/2008 7:45 AM |
 Quote
 Reply
 Alert
|
Hello,
I understand that within the system tables for 2000/2005 the login passwords (sa) are encrypted. Without using SSL are these passwords encrypted when logging in over the wire? I tried ODBC trace & Profiler and was not able to see any clear text passwords. I did not use the "force encyption" option with ODBC as from what I understand this is not needed for passwords, just data transmitted.
In a nutshell are passwords covered by encrytion/hashing without any special tools enabled?
Thanks |
|
|
|
|
Chip Andrews
Posts:113
|
| 05/24/2008 1:23 AM |
Quote
Reply
Alert
|
In SQL 2000 - the login packet is not protected so your password will be transmitted in cleartext. The details of this are in my book "SQL Server Security" from Osborne Press.
In SQL 2005 - there is more protection as stated below in BOL:
"Credentials (in the login packet) that are transmitted when a client application connects to SQL Server 2005 are always encrypted. SQL Server will use a certificate from a trusted certification authority if available. If a trusted certificate is not installed, SQL Server will generate a self-signed certificate when the instance is started, and use the self-signed certificate to encrypt the credentials. This self-signed certificate helps increase security but it does not provide protection against identity spoofing by the server. If the self-signed certificate is used, and the value of the ForceEncryption option is set to Yes, all data transmitted across a network between SQL Server and the client application will be encrypted using the self-signed certificate"
Chip |
|
|
|
|
|