Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

SQL Server 2000, yes 2000 password hash

I need to store a password has in a SQL server 2000 database. The information isn't critical but I really don't want to store the password in clear text. How can I get a unique hash (sha, sha1, md5, etc) in SQL server 2000 as HashBytes isn't available.

I'm not looking for compiled DLL or the ilk, I dont have access to the server, needs to be pure MS SQL.

like image 469
Justin808 Avatar asked May 05 '10 02:05

Justin808


Video Answer


1 Answers

There are undocumented (until later versions) functions in MS SQL Server 2000 called pwdencrypt() and pwdcompare().

See this blog: Undocumented SQL Server 2000 Functions

Or on MSDN books online:

  • PWDENCRYPT()
  • PWDCOMPARE()

However, this function has been known to be insecure since at least 2002. For some details see "Cracking MS SQL Server passwords" at TheRegister. I guess that's why it got replaced by Hashbytes.

If you can't upgrade your SQL Server instance or use any add-ons, this might be the best you can do. Unless you hash the password in application code and store the resulting digest string, leaving the SQL Server out of the loop.

like image 59
Bill Karwin Avatar answered Oct 15 '22 23:10

Bill Karwin