We Keep Coding

check for commonly used passwords on SQL Server

NCSC has published a list of the 100.000 most used passwords, see 100K passwords
I wondered if any of my users had used one of these passwords, so I wrote a check, inspired by an idea from bp_check.
Am I doing it the correct way?
I had problems with UniCode, but that should have been solved by now.

Here is my code to run such a password check:
-- script to check if any of the passwords on your SQL Server is amongst the 100.000 most used passwords that Troy Hunt and NCSC released
-- see https://www.ncsc.gov.uk/blog-post/passwords-passwords-everywhere
--drop table dbo.PwnedPasswordTop100k
create table dbo.PwnedPasswordTop100k ( pw nvarchar(500) collate Latin1_General_CS_AS not null)
go
bulk insert dbo.PwnedPasswordTop100k
FROM 'c:\temp\PwnedPasswordTop100k.txt'
WITH
(
FIELDTERMINATOR = ',',
ROWTERMINATOR = '\n'
, codepage=65001
)
go
SELECT sl.name , ppt.pw
from sys.sql_logins sl
cross join dbo.PwnedPasswordTop100k ppt
where PWDCOMPARE(ppt.pw, sl.password_hash) = 1
union all
SELECT s.name, 'password is NULL' FROM sys.sql_logins s -- password is null (from idea from BP_Check http://aka.ms/BPCheck;)
where password_hash is null
AND exists(SELECT * FROM fn_my_permissions(NULL, 'SERVER') where permission_name='CONTROL SERVER')
and name NOT IN ('MSCRMSqlClrLogin','##MS_SmoExtendedSigningCertificate##','##MS_PolicySigningCertificate##','##MS_SQLResourceSigningCertificate##','##MS_SQLReplicationSigningCertificate##','##MS_SQLAuthenticatorCertificate##','##MS_AgentSigningCertificate##','##MS_SQLEnableSystemAssemblyLoadingUser##')
union all
SELECT s.name, s.Name FROM sys.sql_logins s -- password the same as login (from idea from BP_Check http://aka.ms/BPCheck;)
where PWDCOMPARE(s.name, s.name) = 1
union all
select 'not SYSADM', 'You do not have CONTROL SERVER permissions, and cannot see any password_hashes'
where not exists(SELECT * FROM fn_my_permissions(NULL, 'SERVER') where permission_name='CONTROL SERVER')
--select top (10000) * from dbo.PwnedPasswordTop100k where pw like N'пїЅпїЅпїЅпїЅ'
begin try
drop table dbo.PwnedPasswordTop100k
end try
begin catch
end catch
The PwnedPasswordTop100k.txt file must be copied to c:\temp on the SQL Server, and the account that runs SQL Server, must have access to the file. Alternatively, change the path to a place which the SQL Server can see.
Not everyone has access to a share that SQL Server can see. So I've also written a script with all the passwords:
Script with 100.000 passwords
It is a SELECT Statement that is 1500 kB. Quite big, but you can run it in SQL Server Management Studio.
My SQL Server can check about 6 users per minute, so the script is not very fast.

unable to open table in sql server

when I try open table in sql server management studio I receive the message
Timeout Expired
Then when I try and rename the table I get
Rename Failed Lock Request Time out Expired
Noting that it just contain one row with primary key field, datetime field and varbinary(max) field. and the other tables are working just fine. this occures once in a while.
so what should i do to resoulve this.

What do you mean open? Design window or query?
Check locks on your server first:
exec sp_lock
To set database singleuser you can do this:
USE master;
GO
ALTER DATABASE db SET SINGLE_USER WITH ROLLBACK IMMEDIATE;
GO
USE db;
GO
--DO YOUR WORK HERE
GO
ALTER DATABASE db SET MULTI_USER;
Some helpful stored procedures and dynamic views:
select DB_NAME(1)
select OBJECT_NAME(1131151075,1)
exec sp_lock
-- locks for sesion 51
exec sp_lock 51
select DB_NAME(dbid)
select OBJECT_NAME(ObjId,dbid)
select * from sys.dm_tran_locks
select * from sys.dm_exec_connections
select * from sys.dm_exec_sessions
select * from sys.dm_tran_active_transactions
select * from sys.dm_tran_database_transactions
You can also watch activity monitor and kill sesion that create lock.
There is more information about that:
http://msdn.microsoft.com/en-us/library/ms173730.aspx

How can I get all the database names in a sql server instance using tsql?

How can I get all the database names in a sql server instance using tsql?

SELECT * FROM sys.databases

----SQL SERVER 2005 System Procedures
EXEC sp_databases
EXEC sp_helpdb
----SQL 2000 Method still works in SQL Server 2005
SELECT name
FROM sys.databases
SELECT name
FROM sys.sysdatabases
----SQL SERVER Un-Documented Procedure
EXEC sp_msForEachDB 'PRINT ''?'''
to know more about database : http://blog.sqlauthority.com/2007/05/12/sql-server-2005-list-all-the-database/

this should work on pretty much any version of sql server
USE master;
SELECT NAME FROM sysdatabases;
[edit : it could be SELECT NAME FROM sys.databases too, microsoft's website says both and i'm not on my windows box to test, sorry!]
you could also use (sql 2005 only)
USE master;
EXEC sp_databases;

And for practical use added couple of common filters:
select database_id, [name] database_name
from master.sys.databases
WHERE state <> 6 -- skip offline
AND database_id > 4 -- skip system dbs
AND HAS_DBACCESS([name]) = 1 -- with User Access

SQL 2000
use master
select name from sysdatabases
or
(no need for use master, includes database_size)
exec sp_databases

Changes to sysusers and sysxlogins in SQL 2008

I am currently updating a MS SQL 2000 server to SQL 2008. One of the issues highlighted by the Upgrade advisor is that the undocumented table sysxlogins has been removed.
I currently have a procedure that is run by a user 'foo' to determine if the user 'bar' exists in the database blah. If the user exists the user's password is compared to the password that was passed in to the procedure in order to determine if bar is allowed to log in to an application, it looks like this:
#UserName Varchar(50),
#Password Varchar(50)
As
Set NoCount On
------------------------------------------------------------------------------------
-- Check username
------------------------------------------------------------------------------------
If Exists
(
select top 1 name
from blah.dbo.sysusers With (NoLock)
where name = #UserName
)
Begin
------------------------------------------------------------------------------------
-- Check Password
------------------------------------------------------------------------------------
If Not Exists
(
Select *
From master.dbo.sysxlogins With (NoLock)
Where srvid IS NULL
And name = #Username
And ( ((#Password is null) or (#Password = '') and password is null)
Or (pwdcompare(#Password, password, (CASE WHEN xstatus&2048 = 2048 THEN 1 ELSE 0 END)) = 1))
)
Begin
Return 2
End
Else
Begin
------------------------------------------------------------------------------------
-- Check Role
------------------------------------------------------------------------------------
Select usg.name
From blah.dbo.sysusers usu
left outer join (blah.dbo.sysmembers mem inner join blah.dbo.sysusers usg on mem.groupuid = usg.uid) on usu.uid = mem.memberuid
left outer join syslogins lo on usu.sid = lo.sid
where usu.name = #Username
and usg.name not like 'db_%'
Return 0 -- Username and password correct
End
End
Else
Begin
Return 1 -- Username incorrect
End
This all works fine under SQL 2000, yet I must now pay the price of using undocumented system tables and make it work under 2008.
There are two problems with this, the first problem is that foo can no longer see all of the database users when executing:
select * from blah.dbo.sysusers
or Microsoft's recommended alternative:
select * from blah.sys.database_principals
I understand that this is due to the fact that members of the public role no longer have access to object meta data unless they are a member of sysadmin or have the View Definition permission on the object.
It is not possible for foo to be a member of sysadmin, so as far as I understand I need to grant foo the View Definition permission, but on which object? I don't think I do it on the system view, so do I do it on every single user?
Secondly, and similarly, I need to change my reference to sysxlogins to sys.sql_logins. Again foo can only see itself and sa when executing
select * from sys.sql_logins
How can I get foo to see all of the server logins in this list?
There will no doubt be similar problems when accessing sysmembers and syslogins later on in the code but hopefully an understanding of the two examples above will help me to sort the rest out.
Thanks in advance,

You can grant the SELECT right directly on sys.database_principals, as long as the login has a user in the master database. For example:
use master
create user MyUser for login MyUser
grant select on sys.database_principals to MyUser
Then, in SQL Server 2008, passwords are encrypted, even for the administrator. You can, however, verify a password by trying to change it. The change procedure will give an error if the old password is incorrect.
declare #rc int
begin try
exec #rc = sp_password 'welcome', 'welcome', 'MyUser'
end try
begin catch
set #rc = ERROR_NUMBER()
end catch
-- Should be 0 on success
select #rc
For this to work, you have to disable Enforce password policy in the Login Properties dialog. Otherwise, the policy would prevent you from changing your password too often.

I think GRANT SELECT ON... is more troublesome as one have to add the user to the master database. The below was the solution for me:
USE master
GRANT VIEW ANY DEFINITION TO foo
If you have an app that works on various versions of SQL you need to check if the server version is higher then 8 (GRANT VIEW ANY DEFINITION works from SQL 2005 though it seemes not be needed there).

How do I determine if a database role exists in SQL Server?

I'm trying to figure out how I can check if a database role exists in SQL Server. I want to do something like this:
if not exists (select 1 from sometable where rolename='role')
begin
CREATE ROLE role
AUTHORIZATION MyUser;
end
What table/proc should I use here?

SELECT DATABASE_PRINCIPAL_ID('role')
--or
IF DATABASE_PRINCIPAL_ID('role') IS NULL
USER_ID is deprecated and could break. CREATE ROLE indicates SQL 2005+ so it's OK

if not exists (select 1 from sys.database_principals where name='role' and Type = 'R')
begin
CREATE ROLE role
AUTHORIZATION MyUser;
end