The usp_Check_Passwords stored procedure is a simple T-SQL password-cracking tool that you can use to check the complexity of the passwords used for SQL Server database logins. This stored procedure requires access to the passwd column of the syslogins system table in the master database. It is unlikely that a hacker will gain access to the syslogins table, but nonetheless it’s a useful tool for finding weak passwords.
The stored procedure takes one parameter: the pathname of a text file containing passwords. It uses the BULK INSERT statement executed dynamically to load the password file into SQL Server. Password files can be obtained from a number of places on the web. Alternatively, you can write your own password file. Simply put each password on a separate line and save the password list as a text file. Figure 4 shows an example of a simple password file named Pswfile.txt.
To use this file with usp_Check_Passwords, you’d use the code
USE master GOEXEC usp_check_passwords 'C:\temp\pswfile.txt'
Note that you’d need to customize the password file’s path.
The stored procedure uses the undocumented PWDCompare system function to compare each passed-in password against the passwd column in the syslogins table. The procedure will also detect blank passwords and trivial logins (i.e., logins that have the same password as their login name).
I wrote and checked usp_Check_Passwords on SQL Server 2005 Developer Edition SP1. You can download the code for this stored procedure by clicking the 99987.zip hotlink at the top of this page.
—Eli Leiba, senior application DBA, Israel Electric
