I have a program in which the user needs to login with user name and password.
I'm checking the name from the sys.syslogins table in master db.
But for the password I receive a string with (probably) coded characters like this (1?????????????).
Now what can I do in order to decode that string and take the password in order to compare with the enter it one?
Asked
Active
Viewed 1.4k times
1
gbn
- 422,506
- 82
- 585
- 676
Lefteris Gkinis
- 1,229
- 6
- 26
- 63
-
1A secure password system won't allow you to decode a password. You check passwords by encoding the one you want to test and comparing to see if they're equal. – Mark Ransom Nov 02 '10 at 20:31
-
Yes Mark by using the proposal of dear Gonzalo – Lefteris Gkinis Nov 02 '10 at 21:04
-
Gonzalo is doing exactly what Mark said... He's comparing the encoded values of a known password with the existing encoded values. It's not decoding the password from syslogins. – Andrew Flanagan Nov 02 '10 at 22:57
2 Answers
10
Try this:
SELECT name FROM sys.syslogins
WHERE pwdcompare('somepassword', password) = 1
Edited to replace double quotes with single quotes.
Gonzalo
- 20,805
- 3
- 75
- 78
-
Dear Gonzalo I want to thank you very much, and say to you that your answer was the only accurate, with one deference, in the somepassword we don't use the double quote (") but we have to use the single quote ('), thank you very much you where grate. – Lefteris Gkinis Nov 02 '10 at 20:56
-
cool! i've always hashed in the code, not that database side. Does MySQL have something like this? – jon_darkstar Nov 03 '10 at 01:52
-
Yes, in MySql you do: SELECT user FROM user WHERE password = PASSWORD('YOURPASSWORD'); – Gonzalo Nov 03 '10 at 04:24
8
You can't decode sys.syslogins: it's a one way hash.
You compare like for like if it uses the same technique or run it through pwdcompare
Note: it's also sys.sql_logins in SQL Server 2005+
Also, why would you use SQL Server logins to validate a user? It doesn't make sense...
gbn
- 422,506
- 82
- 585
- 676