Secure password storage on SQL 2000



  • Some time ago i got a DB from a client... I was fiddeling around with it a while and after i did some work on it I passed it to a coworker to doublecheck if everything is ok..

     Afer 2 days he came to me and asked how i finally managed to "secure" the DB... Since he was no longer able to extract the passwords from the user table. He said he tried for half a day and was unable to log on... (That was not a requirement... Had to change something completely different)

    He said he would only get:

    User --- Pass

    Bob --- ******

    Tom --- ******

    Joe ---

    If he querries the Usertable for a valid login...

    Well.. Anyone here knows what SQL Server 2000 Security feature was implmented?

    Spoiler:

    <font class="spoiler">I just changed all passwords to „“ since they where stored in clear text… I don’t like having all the ppls passwords liying openly around… I almost felt sorry for telling him :D </font>

     



  • Too funny - I always cringe when I see plaintext pwd storage.



  • Please salt your hashes when you get around to it.  Precomputation is a real threat these days.



  • They where not hashed... I just changed all Passwords in the DB to the same one...

     All Passwords where stored as 6 asterixes... I didnt want to have all the Passwords from our client on our Development DB.

    I agree with salting is a must if you store passwords... But I was unable to change the user table on that DB to work "propperly"



  • I can never understand why people use plain text passwords in databases these days. Sure it's easier, but seriously... Who wants any random database admin to read their password?

    Sadly I'm fairly sure the new web portal system where I work would have plain text passwords stored. If not in the database, they do store them somewhere serverside. But plaintext passwords are the least of the WTFs (no I won't go into it here).


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.