How secure is the passwords of your SQL logins


I was doing some security work to make a SQL Server production environment safer and ready for inspections. I had more than 900 SQL Login in the environment.

First of all, with the help of the following query, I looked at how much of these SQL Logins were checked with Password Policy:

First of all, let me tell you how I did the test. On SQL Server, there is a Function named “PWDCOMPARE“. This function basically takes 2 parameters, the first one is the password you will try, the second one is the encryption has.

I ran queries similar to the following:

The following query returns the logins whose password is null:

The following query returns the login whose password is the user name:

I strongly recommend that you do similar security work in SQL Server Instance that you take over. In every possible SQL Instance, you must try to enable Password Policy for Logins so that you can implement a specific security policy.

According to the Verizon Business 2012 data leakage survey report, 96% of the leaked data in 2011 were taken from database servers.

In %55 of this, predictable passwords were used.

In 40% of this, stolen account information was used.

According to Application Security Inc.research, the top 10 threats to their databases are users with weak passwords or blank passwords. So obviously two studies complement each other. With my test, three studies confirm each other. If you test your SQL logins in your own environment and share your findings with us, I would appreciate it!

Ekrem Önsoy
Author: Ekrem Önsoy

The original article was written in Turkish by Ekrem Önsoy and translated to English by dbtut with the consent of the author. The copyright of the article belongs to the author. The author shall not be liable in any way for any defect caused by translation.

Leave a Reply

Your email address will not be published. Required fields are marked *