NGSSoftware Insight Security Research
A NGSSoftware Insight Security Research Publication
Microsoft SQL Server Passwords
(Cracking the password hashes)
David Litchfield
(david@ngssoftware.com)
24th June 2002
www.ngssoftware.com
1
NGSSoftware Insight Security Research
How does SQL Server store passwords?
SQL Server uses an undocumented function, pwdencrypt() to produce a hash of the user's
password, which is stored in the sysxlogins table of the master database. This is probably a fairly
common known fact. What has not been published yet are the details of the pwdencrypt()
function. This paper will discuss the function in detail and show some weaknesses in the way
SQL Server stores the password hash. In fact, as we shall see, later on I should be saying,
'password hashes'.
What does an SQL password hash look like?
Using Query Analyzer, or the SQL tool of your choice, run the following query
select password from master.dbo.sysxlogins where name='sa'
You should get something that looks similar to the following returned.
0x01008D504D65431D6F8AA7AED333590D7DB1863CBFC98186BFAE06EB6B327EFA5449E6
F649BA954AFF4057056D9B
This is the hash of the 'sa' login's password on my machine.
What can we derive from pwdencrypt() about the hash?
Time
The query
select pwdencrypt('foo')
produces
0x0100544115053E881CA272490C324ECE22BF17DAF2AB96B1DC9A7EAB644BD218
969D09FFB97F5035CF7142521576
but several seconds later repeating the query
select pwdencrypt('foo')
produces
0x0100D741861463DFFF7B5282BF4E5925057249C61A696ACB92F532819DC22ED6B
E374591FAAF6C38A2EADAA57FDF
The two hashes are different and yet the input, ‘foo’, is the same. From this we can deduce that
time must play an important part in the way password hashes are created and stored. The design
reasons behind this will be such that if two people use the same password then their hashes will
be different - thus disguising the f