Is the SA login secure

When I login with an sa account to a SQL server on our network how is the
login and password transferred? Is it encrypted in someway or transferred in
plain text? If someone had a sniffer on my network could they see the
password just come across and grab it?It is encrypted but its very weak . If someone captured a network trace of
you logging in they would indeed be able to determine the password fairly
easily. If you want to see how easy it is, below is an example
--this is an example of a captured password packet
--actual password used was thequickbrownfox
/*
e2 a5 23 a5 f3 a5 b2 a5 f2 a5 33 a5 s.a...#. .....3.
000000B4 93 a5 13 a5 83 a5 82 a5 53 a5 d2 a5 43 a5 c3 a5 ...... S...C...
000000C4 53 a5 22 a5
*/
-- need to strip out the non password bytes
/*
e2 a5 23 a5 f3 a5 b2 a5 f2 a5 33 a5 93 a5 13 a5 83 a5 82 a5 53 a5 d2 a5 43
a5 c3 a5 53 a5 22 a5
*/
--form varbinary
declare @.packet varchar(500)
set @.packet = 'e2 a5 23 a5 f3 a5 b2 a5 f2 a5 33 a5 93 a5 13 a5 83 a5 82 a5
53 a5 d2 a5 43 a5 c3 a5 53 a5 22 a5'
set @.packet = '0x'+REPLACE(@.packet,' ','')
select @.packet
--decode
select
dbo. decoder(0xe2a523a5f3a5b2a5f2a533a593a513
a583a582a553a5d2a543a5c3a553a522
a5)
as password
You can see the code for the decoder function here
http://www.sqldbatips.com/presentat...HACKING_SQL.zip
HTH
Jasper Smith (SQL Server MVP)
http://www.sqldbatips.com
I support PASS - the definitive, global
community for SQL Server professionals -
http://www.sqlpass.org
"Buck Taylor" <BuckTaylor@.discussions.microsoft.com> wrote in message
news:491768E5-428E-4232-A6C9-6517326E3FA7@.microsoft.com...
> When I login with an sa account to a SQL server on our network how is the
> login and password transferred? Is it encrypted in someway or transferred
> in
> plain text? If someone had a sniffer on my network could they see the
> password just come across and grab it?|||To add to Jasper's comments, it really is best to NEVER use the sa username
and password. Make it two miles long, store it in a password vault, and
change it every 30 days just for fun. Use AD security to create an
administrative account the DBA uses. Change that password regularly as
well.
"Jasper Smith" <jasper_smith9@.hotmail.com> wrote in message
news:Olkb7fg7EHA.128@.TK2MSFTNGP15.phx.gbl...
> It is encrypted but its very weak . If someone captured a network trace of
> you logging in they would indeed be able to determine the password fairly
> easily. If you want to see how easy it is, below is an example
> --this is an example of a captured password packet
> --actual password used was thequickbrownfox
> /*
> e2 a5 23 a5 f3 a5 b2 a5 f2 a5 33 a5 s.a...#. .....3.
> 000000B4 93 a5 13 a5 83 a5 82 a5 53 a5 d2 a5 43 a5 c3 a5 ...... S...C...
> 000000C4 53 a5 22 a5
> */
> -- need to strip out the non password bytes
> /*
> e2 a5 23 a5 f3 a5 b2 a5 f2 a5 33 a5 93 a5 13 a5 83 a5 82 a5 53 a5 d2 a5 43
> a5 c3 a5 53 a5 22 a5
> */
> --form varbinary
> declare @.packet varchar(500)
> set @.packet = 'e2 a5 23 a5 f3 a5 b2 a5 f2 a5 33 a5 93 a5 13 a5 83 a5 82 a5
> 53 a5 d2 a5 43 a5 c3 a5 53 a5 22 a5'
> set @.packet = '0x'+REPLACE(@.packet,' ','')
> select @.packet
> --decode
> select
>
dbo. decoder(0xe2a523a5f3a5b2a5f2a533a593a513
a583a582a553a5d2a543a5c3a553a522
a5)
> as password
> You can see the code for the decoder function here
> http://www.sqldbatips.com/presentat...HACKING_SQL.zip
> --
> HTH
> Jasper Smith (SQL Server MVP)
> http://www.sqldbatips.com
> I support PASS - the definitive, global
> community for SQL Server professionals -
> http://www.sqlpass.org
>
> "Buck Taylor" <BuckTaylor@.discussions.microsoft.com> wrote in message
> news:491768E5-428E-4232-A6C9-6517326E3FA7@.microsoft.com...
the[vbcol=seagreen]
transferred[vbcol=seagreen]
>