Rub shoulders with leading experts and industry disruptors at TNW Conference →

Inside money, markets, and Big Tech

This article was published on September 3, 2009


Microsoft SQL Server exposes passwords. Microsoft doesn’t care.

Microsoft SQL Server exposes passwords. Microsoft doesn’t care.
Boris Veldhuijzen van Zanten
Story by

Boris Veldhuijzen van Zanten

CEO and co-founder, TNW

Boris is a serial entrepreneur who founded not only TNW, but also V3 Redirect Services (sold), HubHop Wireless Internet Provider (sold), and Boris is a serial entrepreneur who founded not only TNW, but also V3 Redirect Services (sold), HubHop Wireless Internet Provider (sold), and pr.co. Boris is very active on Twitter as @Boris and Instagram: @Boris.

piss Sentrigo, a database security software company, has discovered a flaw in Microsoft SQL Server that allows any user with administrative privileges to read the unencrypted password of all other users. The passwords are exposed when Applications access the server using SQL Server authentication.

You might argue that once a hacker has gained administrative access to your servers you are in deep shit anyway.

But as you might also know most people use the same password everywhere so a hacker gaining access AND getting the passwords of everybody in your company might make matters a lot worse.

Adding insult to injury Microsoft has indicated that they do not intend to address the vulnerability at this time.

The kind people at Sentrigo have therefor released a free software utility to allow users to protect their systems. This after they warned Microsoft and asked for a fix and got a friendly reply information them they weren’t going to do anything.

If you are using mixed authentication mode (“SQL Server & Windows Authentication Mode”) you are vulnerable. SQL Server 2000, 2005, and 2008, running on all supported Windows platforms.