Passwords in Sql Server 2000 are Case Insensitive by default -- WTF?
secretGeek .:dot Nuts about dot Net:.
home .: about .: sign up .: sitemap .: secretGeek RSS

Passwords in Sql Server 2000 are Case Insensitive by default -- WTF?

Whereas, in SQL server 2005, Passwords are always case sensitive -- a seemingly more sensible default. But, infact, in SQL Server 2005, you can't even force it to allow case-insensitive passwords.

Good, you may think. SQL Server 2005 has done The Right Thing. Passwords should always be case-sensitive, this is dictate of law etc. But no -- if you want to be able to smoothly upgrade from SQL Server 2000 to SQL Server 2005, you need them to be capable of behaving the same.

It's great that SQL Server 2005 is 'secure by design' and 'secure by default' -- but we live in the 'real world' where we don't control every aspect of the systems we work with.

For example, the following scenario has just trapped a client of mine:

They have legacy applications with hard-coded passwords embedded in them. The hardcoded passwords are unfortunately in a differing case in differing legacy applications.

So now the upgrade path from SQL Server 2000 to SQL Server 2005 involves rewriting these legacy applications, even though, from the businesses point of view the legacy applications are working perfectly.

At first I swore and blamed the idiot developers who emdedded hard-coded passwords, in the old applications. Then I swore and blamed them for setting the wrong case. Then I swore and blamed SQL Server 2000 for ever allowing case-insensitivity in passwords in the first place.

(aside: WTF were earlier database devs doing allowing case-insensitive passwords by default?? I, for one, never realised that case doesn't matter in sql server 2K passwords. This depends on the case-sensitivity of your collation by the way (but since it's case-insensitive by default i expect most servers will have case-insensitive passwords). I think that sybase -- the mother product -- is case-Sensitive by default, so in order to assign blame we don't have to go back to sybase, the blame lies with microsoft.)

But all those things are in the past: they are not new suprises:

The legacy of idiot programmers and insecure databases is part of the landscape that a modern system must cater for.

The real shortcoming here is SQL server 2005. It's supposed to provide true 'SQL Server 2000' compatibity. Yet there was a case where that compatability is broken.

The solution in this case was to rewrite some of legacy apps, this time with an improved configuration model, and in other cases to hunt down the source code, fix the passwords and redeploy. It was an unexpected cost of the upgrade process, discovered very late in the game.

Things are back on track now, and overall the upgrade process was super-smooth. And shiny, very shiny. SQL Server 2005 is pretty much a thing of joy and a treasure to behold. But I'm still thinking about idiot programmers:

It's an idiot's world, we just live here.



'engtech' on Fri, 24 Nov 2006 00:46:11 GMT, sez:

I suppose hex editing the legacy apps to change the password string isn't an option?


'Marcos' on Fri, 24 Nov 2006 00:48:41 GMT, sez:

hahahah a real WTF !!!

I´m working with SqlServer 2000 from 4 or 5 years now and I never think that the pass were case insensitive, really funny.

Cheers


'Dan F' on Fri, 24 Nov 2006 03:42:37 GMT, sez:

Wow, thanks for the headsup LB. I'll make sure none of the idiots here have hardcoded passwords.

Our idiot programmer + 2k5 upgrade actually involves me :)
We got bitten by ORDER BY being ignored in views under 2K5. I'm (and a couple of collegues) no super SQL geek, so I just assumed that (when SQL server let me put an order by in a view) it was an OK thing to do. Turns out that it wasn't, there's hack work arounds involving top 99.999 percent but they smelt funny. We ended up analyzing our views and bumping the offending order by's back into the sprocs. Major PITA for a while though as we had NFI what was causing obscure little bugs. I understand MS's motivation for fixing their dodgy implementation that allowed order by's, but grrrrrrr that caused some grief.


'el' on Fri, 24 Nov 2006 07:37:34 GMT, sez:

Another PITA is in profiler where from Sql2000/sp3 onwards if any statement has the text password in it (even in a comment), it hides it from you. No option to override. Wonderful if you're trying to understand legacy code. Now I use pwd...


'Eber Irigoyen' on Fri, 24 Nov 2006 20:06:40 GMT, sez:

I guess people are never going to be happy, not even when working with the most secure server

http://blogs.technet.com/security/archive/2006/11/07/sql-server-2005-1-year-and-not-yet-counting.aspx


Add your comment.


name


website (optional)


enter the word:
 

comment (HTML not allowed)


All viewpoints welcome. But the right to delete any post for any reason is reserved. Don't make me do it. Comments may be republished, emailed to your loved ones or printed and used as toilet paper. Who reads this legal bit anyhow?

TimeSnapper is a life analysis system that stores and plays-back your computer use. It makes timesheet recording a breeze, helps you recover lost work and shows you how to sharpen your act.

TimeSnapper won last year's Developer Competition at Larkware.com, and is used by over 10,000 people.

Articles

SQL Style Extensions for C# SQL Style Extensions for C#
The Movie Hollywood (And My Wife) Doesn't Want You To See: Weekend at Jacko's The Movie Hollywood (And My Wife) Doesn't Want You To See: Weekend at Jacko's
Sysi: the ultimate administrators toolkit Sysi: the ultimate administrators toolkit
Movie: Priest Academy Movie: Priest Academy
Inspirational Rat Story Inspirational Rat Story
A face-melting DSL that allows programming ON the iPhone (and iPad) A face-melting DSL that allows programming ON the iPhone (and iPad)
The secretGeek Disaster Recovery plan The secretGeek Disaster Recovery plan
Save KNVTn! Before it's too late Save KNVTn! Before it's too late
The Ultimate Agent of WERF Destruction The Ultimate Agent of WERF Destruction
The new prisoner's dilemma The new prisoner's dilemma
Original Premise for a road movie Original Premise for a road movie
What's a better game than Devshop? What's a better game than Devshop?
DevShop: The Cool Game that Makes Development Look Fun DevShop: The Cool Game that Makes Development Look Fun
Should be purple Should be purple
Kitchen Agile Kitchen Agile
Perhaps Perhaps "Go" is the new Visual Basic
zen-coding: turn those CSS selectors upside down zen-coding: turn those CSS selectors upside down
Debugging: It's all about finding Albuquerque. Debugging: It's all about finding Albuquerque.
The Real-Time online JQuery Editor The Real-Time online JQuery Editor
HTML5, a 3 minute guide HTML5, a 3 minute guide
Developer Codpieces Developer Codpieces
Agile for one: The Personal Story 'Wall' In Action Agile for one: The Personal Story 'Wall' In Action
Never work with thick people. Never work with thick people.
Cosmo: project status panel Cosmo: project status panel
Windows Search in Japan Windows Search in Japan
Project Management Zen Project Management Zen
Continuous Integration, Plugins and Going Too Far Continuous Integration, Plugins and Going Too Far
The Rules of Stand Up The Rules of Stand Up
Sydney International Airport: Stupid, Criminal, or Criminally Stupid? Sydney International Airport: Stupid, Criminal, or Criminally Stupid?
God No! ...The ReBuilder God No! ...The ReBuilder
Matt, The Office Mortar Matt, The Office Mortar
'Outlook style' rules for Subversion 'Outlook style' rules for Subversion
Really deep linking: Url + regex Really deep linking: Url + regex
hExcel -- A Hexagonal Spreadsheet hExcel -- A Hexagonal Spreadsheet
Is the remote control a thing of the past? Is the remote control a thing of the past?
The Utterly Thorough Guide To Awesome Application Compatibility on Windows 7. The Utterly Thorough Guide To Awesome Application Compatibility on Windows 7.
Astounding Hyperlinked Noticeboard Astounding Hyperlinked Noticeboard
Three Questions About Each Bug You Find Three Questions About Each Bug You Find
Recursing over the Pareto Principle... Recursing over the Pareto Principle...
Sometimes, The Better You Program, The Worse You Communicate. Sometimes, The Better You Program, The Worse You Communicate.
Archives .: secretGeek :: Complete Archives
TimeSnapper -- Automated Screenshot Journal TimeSnapper.com    
Version 3.3: true productivity boost
Next Action NextAction
Managing the top of your mind
World's Simplest Code Generator (html edition) World's Simplest Code Generator
25 steps for building a Micro-ISV 25 steps for building a Micro-ISV
3 minute guides -- babysteps in new technologies: powershell, JSON, watir, F# 3 Minute Guide Series
Universal Troubleshooting checklist Universal Troubleshooting Checklist
Top 10 SecretGeek articles Top 10 SecretGeek articles
ShinyPower (help with Powershell) ShinyPower
Now at CodePlex
Realtime CSS Editor, in a browser RealTime Online CSS Editor
Gradient Maker -- a tool for making background images that blend from one colour to another. Forget photoshop, this is the bomb. Gradient Maker

[powered by Google] 
How to be depressed How to be depressed
You are not inadequate.

Recommended Reading

The Best Software Writing I
The Business Of Software (Eric Sink)

Recommended blogs

Jeff Atwood
Reginald Braithwaite
Joseph Cooney
Phil Haack
Scott Hanselman
Julia Lerman
Rhys Parry
Joel Pobar
OJ Reeves
Eric Sink
Joel Spolsky
Des Traynor

Aggregated Links

programming.reddit.com
dzone
dot net kicks

Human Link Machines

interesting finds
a continuous learner's weblog
arjan's world
n links today
new and notable
morning coffee
learning .net
weekly link post
(my del.icio.us account)
LinkedIn profile

.: bookmark this page at del.icio.us bookmark at Del.icio.us! :: reddit this reddit this :.

 
home .: about .: sign up .: sitemap .: secretGeek RSS .: © Leon Bambrick 2006 .: privacy

home .: about .: sign up .: sitemap .: RSS .: © Leon Bambrick 2006 .: privacy