New Paper: Microsoft SQL Server Passwords

["NGSSoftware Insight Security Research" <nisr () nextgenss com>]

Hi all,
I've written a paper on how users' passwords, or rather their hashes, are
stored in Microsoft's SQL Server. The paper discusses the manner in which
they are hashed and how they can be more easily brute forced as two hashes
are stored: a case sensitive password hash and an upper case password hash
are produced. Needless to say, when auditing password strength, it is far
easier to go after the UPPER cased version. The paper contains also contains
some demonstration source code for performing a dictionary based audit
against the hashes and NGSSoftware have produced an optomized GUI based
tool, as well.

Microsoft's SQL best practices dictate that SQL logins should not be used in
favour of native Windows Authentication using an operating system account,
but we recognize that often consumers of SQL Server do not often want to do
this. (With a Windows account people have access to other operating system
services as well as SQL Server, but with just an SQL login they should only
be able to access the SQL Services. The latter is the 'more safe' option in
the author's opinion)

Anyway, you can get the paper in the researcher section of the NGSSite @
http://www.nextgenss.com/ .

Cheers,
David Litchfield
NGSSoftware Ltd
+44(0)208 401 0070