Are my SQL logins weak?

Security is a vital component of data security. In today’s day and age it is imperative to think about security. Recently there have been many high profile examples of data theft. This is a very simple script which allows you to find any SQL Server authenticated accounts that have either a blank password or password that matches the user name and allow you to take action to remove the threat immediately.

I’ve been to hundreds of clients across many verticals and it never ceases to amaze me when I see SQL Server logins that have either a blank password or one that matches the name. What’s even more worrisome is that 60% of these logins were a member of the sysadmin builtin role and 90%+ were granted the DBO role for their database.

A while back I posted some code to the Microsoft TechNet Gallery that can help you identify these logins.

Check it out here: https://gallery.technet.microsoft.com/Identify-SQL-Server-33925ae3

If you like it or find it helpful, be sure to give the gallery a 5 star rating.  : )

A couple considerations are:

  • SQL Server passwords are case sensitive.
  • The script compares the same case as the login
  • The script compares the password to ‘’ (blank)
  • Common passwords are not compared but could easily be with a quick tweak. You could also use the brute tool against a suspect login but it’d be better to take the library from it and add it to the query.

It’s easy enough to use an UPPER or a LOWER to the query and just about as easy to add in a list of common passwords. Leave some comments and let me know if you’d like to see a modified version that does a bit more.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s