Microsoft SQL Server uses unencrypted passwords (opens in new tab)

(galliumdata.com)

3 pointsmaxtardiveau24y ago8 comments

8 comments

Wow, what a nothingburger. First of all, the passwords are hashed on disk; this is just about their transmission over the network (where they can't be hashed without the hash being password-equivalent). Anyway, the headline is only true if you don't count TLS as encryption, which is absurd. Yes, we'd probably be better off using some sort of PAKE protocol, but SQL Server handles passwords the same way basically every other server of any sort handles them. If this were actually a vulnerability in SQL Server, then you could count on one hand the number of services today that accept passwords but weren't also vulnerable.

maxtardiveau2OP4y ago

I respectfully disagree. Like I said in the article, transmitting the password, rather than some form of token, means that this approach is exactly as insecure as HTTP basic auth over TLS, and how many serious enterprise apps use that?

>> we'd probably be better off using some sort of PAKE protocol

Yes, that's my whole point. This problem has been solved, there are tons of libraries, it's not that hard. Why have a weak link like this?

If everything is secured correctly, this is not a vulnerability, but how often are things 100% secured properly? TLS is fine, but many people use a self-signed certificate, which means a MITM attack is often possible. It's bad enough to have someone snoop on your connection, but to have your password compromised... And if your client is not Windows, it often has to use database authentication.

This just stinks. It's especially surprising in an enterprise-class system like SQL Server.

josephcsible4y ago

> transmitting the password, rather than some form of token, means that this approach is exactly as insecure as HTTP basic auth over TLS, and how many serious enterprise apps use that?

Isn't that also exactly as insecure as submitting an HTML form with <input type="password"> is? And I can't think of any enterprise apps that don't use either HTTP basic auth or that over TLS. Which ones are you thinking of?

1 more reply

j / k navigate · click thread line to collapse

8 comments

josephcsible4y ago

maxtardiveau2OP4y ago

>> we'd probably be better off using some sort of PAKE protocol

Yes, that's my whole point. This problem has been solved, there are tons of libraries, it's not that hard. Why have a weak link like this?

This just stinks. It's especially surprising in an enterprise-class system like SQL Server.

josephcsible4y ago

> transmitting the password, rather than some form of token, means that this approach is exactly as insecure as HTTP basic auth over TLS, and how many serious enterprise apps use that?

1 more reply

j / k navigate · click thread line to collapse