password – Technology News and Information by SeniorDBA

5 Tips to Secure Digital Devices in High-Risk Situations

Traveling to a high-risk area can expose your electronic devices to hacking or data theft risks. Here are five recommended steps to secure your devices and protect your sensitive information.

Back up your data before you travel – Make sure you have a copy of your important files and documents in a secure cloud service or an external hard drive. Don’t bring the backup to the risky area, which will help preserve a copy of critical data if your data so you can restore your data if your device is lost, stolen, or compromised.
Encrypt your devices and use strong passwords – Encryption is a process that scrambles your data and makes it unreadable without a key or a password. You can encrypt your entire device or specific folders and files. Use a strong password that is hard to guess and different for each device and account. You can also use a password manager to store and generate passwords securely.
Disable or remove unnecessary features and apps – Some features and apps on your devices can make you more vulnerable to hacking or data theft. For example, Bluetooth, Wi-Fi, GPS, and NFC can be used to track your location or access your data without your permission. Disable or remove these features and apps when you are not using them or when you are in a public place.
Use a VPN and avoid public Wi-Fi networks – A VPN (virtual private network) is a service that creates a secure connection between your device and the internet. It encrypts your data and hides your IP address, making it harder for hackers or third parties to intercept or monitor your online activity. Avoid using public Wi-Fi networks, such as those in hotels, airports, or cafes, as they are often unsecured and can expose your data to hackers or malicious software.
Be vigilant and cautious – The most important step to secure your devices is to be aware of the potential risks and take precautions to avoid them. Do not leave your devices unattended or lend them to strangers. Do not open suspicious emails or attachments or click on unknown links. Do not download or install software from untrusted sources. Do not enter sensitive information on websites that are not secure (look for the padlock icon and https in the address bar). If you notice any signs of hacking or data theft, such as unusual activity, pop-ups, or messages, disconnect from the internet and scan your device for malware.

How to Create a Secure Windows 10 Workstation for Beginners

If you are new to Windows 10 and want to create a secure workstation for your personal or professional use, this blog post is for you. In this post, I will show you how to set up a Windows 10 workstation with some basic security features that will help you protect your data and privacy. Here are the steps you need to follow:

Continue reading “How to Create a Secure Windows 10 Workstation for Beginners”

10 Steps to Stopping Lateral Movement Attacks

It is estimated that over 75% of cyber attacks come from outside your network. While every attack is unique and tactics may vary, the basic stages of an outsider attack are similar. During the attack, an attacker uses four basic steps to gain a foothold in your environment.

Attack the perimeter – Gain access through any perimeter protections to gain access to the internal resources of the network, like a user’s computer or a server-based resource on the internal network. This can be accomplished using a known vulnerability, or by convincing the user to run a program from an email link or attached file.
Malware Drop – Once they have access to an internal resource, they drop malware onto the endpoint and begin communications to the compromised device, usually though a command and control system. Using the permissions of the current user, they gather intelligence about the network and attempt to elevate their permissions on that endpoint.
Lateral Movement – They now start looking for resources on other systems on the same internal network. As new systems are discovered, they are also compromised and start communicating with the attackers command and control system. They gather more intelligence and try to elevate their permissions on all compromised systems.
Trigger Payload – Once your network and systems are owned by the attacker, they start exfiltrating and/or encrypting the files on the compromised internal resources. Game Over.

There are some common mitigation strategies your organization can implement to help prevent lateral movement (step 3 shown above) during an attack. You won’t always detect the initial compromise of an internal resource, but you can limit the damage that can be inflicted by implementing some basic security steps.

Here are 10 Steps to a reducing a lateral movement attack:

Continue reading “10 Steps to Stopping Lateral Movement Attacks”

10 Steps to Stopping Lateral Movement Attacks

Attack the perimeter – Gain access through any perimeter protections to gain access to the internal resources of the network, like a user’s computer or a server-based resource on the internal network. This can be accomplished using a known vulnerability, or by convincing the user to run a program from an email link or attached file.
Malware Drop – Once they have access to an internal resource, they drop malware onto the endpoint and begin communications to the compromised device, usually though a command and control system. Using the permissions of the current user, they gather intelligence about the network and attempt to elevate their permissions on that endpoint.
Lateral Movement – They now start looking for resources on other systems on the same internal network. As new systems are discovered, they are also compromised and start communicating with the attackers command and control system. They gather more intelligence and try to elevate their permissions on all compromised systems.
Trigger Payload – Once your network and systems are owned by the attacker, they start exfiltrating and/or encrypting the files on the compromised internal resources. Game Over.

Here are 10 Steps to a reducing a lateral movement attack:

Continue reading “10 Steps to Stopping Lateral Movement Attacks”

Reset the Azure VM administrator password

To reset the password of an Azure virtual machine, you can use the Azure portal or Azure PowerShell.

Azure Portal

Log into the Azure portal (http://portal.azure.com), go to the Azure VM you want to reset. Under the Support + Troubleshooting menu, click on Reset Password, and follow to the Reset Password wizard to update the credentials.

Note: This is not supported for Active Directory Domain Controllers.

PowerShell

If you want to use Azure PowerShell, you can edit this script and run the following commands:

$SubID = "<SUBSCRIPTION ID>" $RgName = "<RESOURCE GROUP NAME>" $VmName = "<VM NAME>" $Location = "<LOCATION>" Connect-AzAccount Select-AzSubscription -SubscriptionId $SubID Set-AzVMAccessExtension -ResourceGroupName $RgName -Location $Location -VMName $VmName -Credential (get-credential) -typeHandlerVersion "2.0" -Name VMAccessAgent

This information should help you to reset the password of an Azure virtual machine if you have lost access. If you want to know more, read the following troubleshooting article on Microsoft Docs.

12 Cybersecurity Tips to Stay Secure on the Internet

The internet is a wonderful place full of free information, endless entertainment, and useful ways to communicate with you family and friends. There are also people that want to use that wonderous virtual environment to attack the cyber-weak and take what they have for their own profit. You see the news stories almost weekly, where another company has been breached and their customer data has been stolen, stores where companies have been attacked with ransomware and all their files are encrypted until they meet their attackers demands, or just average users bombarded with phishing emails or robocalls.

People don’t always know what they can do protect themselves, so I have collected 10 simple tips that will help guide the average user to a safer cybersecurity profile that will help protect their valuable systems and data from cybercriminals.

Basically speaking, when you want to secure a user, a family, or an entire company you have to first secure the perimeter, then secure the data that enters and exits through that perimeter. Just a few years ago that perimeter was much smaller and easily defined, but with todays services relying on the internet for almost all information like news, weather, movies, emails, file storage, gaming, etc. that perimeter is larger than ever before.

You need to think about how you use the services and systems that you have access to each day and determine what data you share has value, what processes are at a high risk, and how a malicious user might monetize your activity. One basic example is you may use your personal computer to access your bank to transfer money from checking to savings. The risk is your computer may be compromised and that might allow a hacker to gain access to your bank account to transfer your money to their bank account. A hacker might just gain access to your password and is then able to use your email address and stolen password to log into your bank account from anywhere in the world to open new accounts to borrow massive amounts of money in your name. Continue reading “12 Cybersecurity Tips to Stay Secure on the Internet”

10 Steps to Stopping Lateral Movement Attacks

Attack the perimeter – Gain access through any perimeter protections to gain access to the internal resources of the network, like a user’s computer or a server-based resource on the internal network. This can be accomplished using a known vulnerability, or by convincing the user to run a program from an email link or attached file.
Malware Drop – Once they have access to an internal resource, they drop malware onto the endpoint and begin communications to the compromised device, usually though a command and control system. Using the permissions of the current user, they gather intelligence about the network and attempt to elevate their permissions on that endpoint.
Lateral Movement – They now start looking for resources on other systems on the same internal network. As new systems are discovered, they are also compromised and start communicating with the attackers command and control system. They gather more intelligence and try to elevate their permissions on all compromised systems.
Trigger Payload – Once your network and systems are owned by the attacker, they start exfiltrating and/or encrypting the files on the compromised internal resources. Game Over.

Here are 10 Steps to a reducing a lateral movement attack:

Malware and Virus Detection – Install and properly configure an anti-malware and anti-virus solution on every endpoint. This offers, as a minimum, basic protection from known malware signatures, and probably offers advanced heuristic protection algorithms to detect behavior to indicate malicious activity even on zero-day attack attempts. The Microsoft Defender endpoint protection features in Windows 10 is a good example of this type of software that is highly rated and very effective.
Standard User Accounts – Since users are usually the ones that allow the initial compromise through drive-by downloads or clicking on a phishing email, you must limit the power of the malware by limiting the power of the user. Require all users to login with a standard standard user account and don’t make them a local administrator on any computer. Even administrators should log into their computer with a standard account as a normal practice. They should only log into systems with administrative rights when they need to actually perform administrative tasks.
Enforce Least Privilege – Only allow users access to systems if they have a business need to that resource. Only allow the minimum privileges to allow the user to do exactly what they need to do, nothing more. This helps prevent malware from using the users permissions to gain unauthorized access to sensitive data.
Multifactor Authentication – Implement multi-factor authentication for access to internal and external systems, all applications, and even social media. This basically requires the user to approve access through an mobile application or SMS message before their computer password is accepted. This means that even if a user’s password is stolen or guessed by an attacker, they can’t access the resource without the user’s cellphone.
Conditional Access Controls – Restricting access based on static elements like location, operating system, or even time of day is a basic control that limits account login, even with approved credentials, to enforce compliance dynamically. Microsoft O365 and Azure offers a wide range of conditional access features based on location, operating systems, user risk, etc. to add security options for greater account protections.
Strong Password Management – Require strong passwords that are different for every account. Never allow users to reuse passwords and encourage users to use password managers so they have strong password hygiene. Block common unsafe passwords (i.e. password1, qwerty123, etc.) and configure systems to log password failure attempts. Configure systems and devices to change or eliminate default passwords and require every system to have a unique passwords across all privileged accounts. Never store passwords inside a script. Implement SSH key management tools.
Patch Management – Configure systems and devices to automatically download and install vendor patches as soon as they become available. If the system needs to be tested before any patch is applied, do the testing as soon as possible to target installing all vendor patches within 30 days. Less vulnerabilities mean it is harder for an attacker to get into a system through a software security weakness.
Network Segmentation – Group assets (users, application servers, etc.) into logical units that do not trust each other. Segmenting your network reduces the “line of sight” access attackers must have into your internal systems. For access that needs to cross trust zones, require a secured jump server with multi-factor authentication, adaptive access authorization, and session monitoring. If malware can’t access systems, it severely limits an attackers ability to jump from one system to the next. Where possible, go beyond standard network segmentation to segment based on context of the user, role, application and data being requested.
Implement Threat Behavior Monitoring – Implement base security event monitoring and log events that will help you later understand what systems were compromised. Using advanced threat detection (including user behavior monitoring) you can quickly detect compromised account activity as well as symptoms of insider privilege misuse.
Application Whitelisting – If possible, implement policies to only allow known good applications to execute while you block and log all other applications launch attempts. Windows 10 allows you to implement this functionality using AppLocker. As a minimum you can pre-install the software required by a user and block them from installing any new software.

While backups will not help prevent a successful lateral movement attack, if your files are compromised by an attack your only remediation may be to restore/replace the missing or encrypted files from a recent backup. Don’t forget to include offline backups in your security efforts as a safely net when all preventative measures fail.

While none of these steps will prevent a successful attack on their own, a combination of tactics can truly limit the ability of a successful attack from doing severe damage to your business. By limiting the scope of an attack you can reduce the cost of recovery, limit the scope/quantity of lost or damaged files, prevent a compromise of critical business intelligence, and build confidence in your ability to protect critical business assets.

Reset the Azure VM administrator password

To reset the password of an Azure virtual machine, you can use the Azure portal or Azure PowerShell.

Azure Portal

Note: This is not supported for Active Directory Domain Controllers.

PowerShell

If you want to use Azure PowerShell, you can edit this script and run the following commands:

$SubID = "<SUBSCRIPTION ID>" $RgName = "<RESOURCE GROUP NAME>" $VmName = "<VM NAME>" $Location = "<LOCATION>" Connect-AzAccount Select-AzSubscription -SubscriptionId $SubID Set-AzVMAccessExtension -ResourceGroupName $RgName -Location $Location -VMName $VmName -Credential (get-credential) -typeHandlerVersion "2.0" -Name VMAccessAgent

This information should help you to reset the password of an Azure virtual machine if you have lost access. If you want to know more, read the following troubleshooting article on Microsoft Docs.

Data Analysis of PIN Numbers

Data is an interesting topic of exploration. In this example, we are looking at the data as it relates to PIN numbers. PIN numbers are usually all that stands between your bank account and a determined hacker. They can clone your debit card, but they can’t clone your PIN number used to authorize your transactions. But maybe, if you use a common PIN, they can easily guess your PIN.

In this article by Nick Berry on DataGenetics is an interesting read to better understand the power on data analysis and why data is important when trying to solve a problem. In this case, the problem is trying to solve the question of the most common PIN numbers, and why some PIN combinations are more common than others.

Continue reading “Data Analysis of PIN Numbers”

Please Select a Better Password

In light of the ever more frequent online breaches, we should talk again about picking a good password. People continue to pick and use poor passwords to protect their valuable information. You might not think your password is important or sought after by hackers, but it really is the only thing between the entire world and your personal online accounts.

If you have a password of eight random letters, there are about 200 billion possible password combinations. If a hacking program like Hashcat had to try them all, it would be done in about 4 minutes. If you add mixed casing and numbers into the mix, you increase the number of possible passwords and by increasing the length to 12 characters we can catapult the number of password possibilities to about 4 sextillion. When talking about the number of possibilities which are now available to users, it would take Hashcat an estimated lifetime to work through all the possible combinations.

However, this math does not take the human factor into account. You want to select a combination of characters that you can remember and isn’t too difficult to enter a few times each day. The password also has to work within the limits imposed by the website or application where you created the password. People wanting to crack your password are also aware of those limitations. In fact, there are extensive lists of common password terms available on the internet, sorted by their popularity. The password cracking programs will just try those more common words and their common iterations first, and that will allow for increased odds of success in a much shorter time.

Continue reading “Please Select a Better Password”

Selecting a Better Password

People continue to pick and use poor passwords to protect their valuable information. You might not think your password is important or sought after by hackers, but it is really the only thing between the entire world and your personal online accounts. If you have a password of eight random letters, there are about 200 billion possible password combinations. If a hacking program like Hashcat had to try them all, it would be done in about 4 minutes. If you add mixed casing and digits into the mix, you increase the number of possible passwords and by increasing the length to 12 characters we can catapult the number of password possibilities to about 4 sextillion. When talking about the number of possibilities which are now available to users, it would take Hashcat an estimated lifetime to work through all the possible combinations.

However, this math does not take the human factor into account. You want to select a combination of characters that you can remember and isn’t too difficult to enter a few times each day. The password also has to work within the limits imposed by the website or application when you created the password. People wanting to crack your password are aware of those limitations. In fact, there are extensive lists of common password terms available on the internet, sorted by their popularity. The password cracking programs will just try those more common words and their common alterations first, and that will allow for increased odds of success in a shorter time.

Continue reading “Selecting a Better Password”

Password Security with SQL Server on Linux and Docker

With the recent release of a preview version of SQL Server for Linux and Docker, Microsoft has made it relatively easy to run SQL Server on a non-Windows platform. For example, to install and run SQL Server v.Next on Docker, according to Microsoft’s directions, you would:

Pull the Docker image from Docker Hub
Run the Docker image using the following command

docker run –e 'ACCEPT_EULA=Y' –e 'SA_PASSWORD=<Strong!Passw0rd>' -p 1433:1433 -d microsoft/mssql-server-linux

Now the accepted practice to set credentials in the stateless container is to use environment variables. You can see this in the -e parameter ‘SA_PASSWORD=<Strong!Passw0rd>’.

The potential problem with this approach is that the SA credentials will appear in the bash history. Not only this, but the credentials will also show in the output of the ps command (used to list running applications). This effectively exposes the Super User account to any admin with access to the host machine.

Be very careful as you evaluate this SQL Server preview to make sure your are installing SQL Server is securely as possible as you prepare for implementing this product in your production environment in the coming year.

Rethinking Mandatory Password Changes

We are told to change our passwords every 90 days. The primary reason given to uses is that users pick bad passwords and they can only be trusted for less than 90 days before they could be hacked. Many users will complain that it is difficult to select at least 4 complex passwords a year. If you pair that with the inability to reuse the last 6 passwords (minimum PCI DSS requirement), and the fact that users have more than one account that requires a password, you are looking at the requirement for potentially hundreds (current and recently used) of unique passwords that they may have to remember.

FTC Chief Technologist Lorrie Cranor wrote in March 2016 that it is time to reconsider mandatory password changes:

Unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases. (And even if a password has been compromised, changing the password may be ineffective, especially if other steps aren’t taken to correct security problems.)

Their research also showed that once a user password has been hacked, they were able to guess the next password the user would select with relative ease.

The Carleton researchers also point out that an attacker who already knows a user’s password is unlikely to be thwarted by a password change. As the UNC researchers demonstrated, once an attacker knows a password, they are often able to guess the user’s next password fairly easily. In addition, an attacker who has gained access to a user’s account once may be able to install a key logger or other malware that will allow them to continue to access the system, even if the user changes their password.

While there are environments that are less flexible because of compliance requirements, you should look at other solutions to the threat of hacking.

A change in the frequency and type of passwords you require addresses the issue from a users perspective, but doesn’t address the problem of the cyber-mess a user must face when an internet site it hacked and their very complex and long password may still be compromised.

Research suggests frequent mandatory expiration inconveniences and annoys users without as much security benefit as previously thought, and may even cause some users to behave less securely. Encouraging users to make the effort to create a strong password that they will be able to use for a long time may be a better approach for many organizations, especially when combined with slow hash functions, well-chosen salt, limiting login attempts, and password length and complexity requirements. And the best choice – particularly if your enterprise maintains sensitive data – may be to implement multi-factor authentication.

Maybe this holiday season is a good time to rethink your password procedures to see if there is anything you can do to make the situation better for your users.

25 Poor Passwords

According to internet security software firm SplashData, if you are using any of the passwords listed you should change them immediately. While a simple password might be easier for you to remember they are also easier for hackers to guess. The SpashData study said:

We call them the “worst passwords” because when it comes to password security, using a popular password is a very bad thing. Since the most popular passwords are so common, these popular passwords would be among the very first tried by any hacker or malicious “cracking” program. When you choose a password, you want something unique, complex, and unusual, and you want to make sure you use different passwords for different sites.

Rank	Password	Change from 2013
1	123456	No Change
2	password	No Change
3	12345	Up 17
4	12345678	Down 1
5	qwerty	Down 1
6	123456789	No Change
7	1234	Up 9
8	baseball	New
9	dragon	New
10	football	New
11	1234567	Down 4
12	monkey	Up 5
13	letmein	Up 1
14	abc123	Down 9
15	111111	Down 8
16	mustang	New
17	access	New
18	shadow	Unchanged
19	master	New
20	michael	New
21	superman	New
22	696969	New
23	123123	Down 12
24	batman	New
25	trustno1	Down 1

What are you supposed to do to make a breach of your accounts more difficult?

Use the entire keyboard – Include symbols, uppercase letters, lowercase letters, and numbers in your password. If allowed, include a character from each of those four categories.
Make password longer – Passwords should be a minimum of 8 characters long, but longer passwords are generally better than shorter passwords.
Avoid Dictionary Words – Hacker tools generally look for words you find n a dictionary, along with common passwords, wen guessing your password. If you avoid words or combination of words (in multiple languages) it won’t be as easy to for hackers to crack your password.
Best Practice – Your password should not contain your name, username, publicly available data (birthday, telephone number, house or apartment number, etc.), or your company name.
Avoid Repeats – Your password should always be significantly different from any old passwords. This should include avoiding adding a number to the end of the last password (“password1” is just as bad as “password”).
Don’t duplicate passwords – Never use the same password on different accounts. The most common example is don’t use the same password on your Twitter and Google account. If one account is compromised, the hacker will try the same password on your other accounts, so don’t make it easy to gain access to all your accounts. This is also essential for those people who have more than one business account. If you have one account for normal use and another account for “admin” use, never use the same password or both accounts.

I’ve written about passwords before, including how to select a good password.

Microsoft May Ban Your Favorite Passwords

In an effort to protect humans from themselves when it comes to selecting a secure password, Microsoft is changing the way it allows people to choose passwords by banning common passwords from Microsoft Account and Azure Active Directory (AD) system. They will also be implementing a “smart” password feature that will dynamically update the list of banned passwords based on what passwords are being attacked each day. You can read the entire Microsoft post here.

For example, did you know that in the real world all of these common approaches:

Password length requirements
Password “complexity” requirements
Regular, periodic password expiration

actually make passwords easier to crack? Why you might ask? Because humans act in pretty predictable ways when faced with these kinds of requirements. You can learn all about it in Robyn’s paper.

In addition to Robyn’s paper, I want to share a few insights into how Azure AD and the Microsoft Account system work to protect you and your passwords. We do this in two innovative ways based on the best practice outlined in Robyn’s paper:

Dynamically banning common passwords
Smart password lockout

Read on to learn more about these approaches and how we use them in Azure AD and the Microsoft Account System.

Data Analysis of PIN Numbers

I was able to find almost 3.4 million four digit passwords. Every single one of the of the 10,000 combinations of digits from 0000 through to9999 were represented in the dataset.

The most popular password is 1234 … it’s staggering how popular this password appears to be. Utterly staggering at the lack of imagination … nearly 11% of the 3.4 million passwords are 1234 !!!

The next most popular 4-digit PIN in use is 1111 with over 6% of passwords being this.

In third place is 0000 with almost 2%.

(Statistically, with 10,000 possible combination, if passwords were uniformly randomly distributed, we would expect the these twenty passwords to account for just 0.2% of the total, not the 26.83% encountered)

Looking more closely at the top few records, all the usual suspects are present 1111 2222 3333 … 9999 as well as 1212 and (snigger) 6969 .

It’s not a surprise to see patterns like 1122 and 1313 occurring high up in the list, nor 4321 or 1010 .

2001 makes an appearance at #19. 1984 follows not far behind in position #26, and James Bond fans may be interested to know 0007 is found between the two of them in position #23 (another variant 0070 follows not much further behind at #28).

The first “puzzling” password I encountered was 2580 in position #22. What is the significance of these digits? Why should so many people select this code to make it appear so high up the list?

Then I realized that 2580 is a straight down the middle of a telephone keypad! (Interestingly, this is very compelling evidence confirming the hypothesis that a 4-digit password list is a great proxy for a PIN number database. If you look at the numeric keypad on a PC-keyboard you’ll see that 2580 is slightly more awkward to type on the PC than a phone because the order of keys on a keyboard is the inverted. Cash machines and other terminals that take credit cards use a phone style numeric pads. It appears that many people have an easy to type/remember PIN number for their credit card and are re-using the same four digits for their online passwords, where the”straight down the middle” mnemonic no longer applies).

25 Worst Internet Passwords

Another year and another list of worst and most commonly used passwords from internet security software firm SplashData. If you are using any of the passwords listed, you should change them immediately. Simple passwords might be easier for you to remember, but they are also easy for hackers to guess if they are attempting to access you bank accounts or Twitter account.

Rank	Password	Change from 2013
1	123456	No Change
2	password	No Change
3	12345	Up 17
4	12345678	Down 1
5	qwerty	Down 1
6	123456789	No Change
7	1234	Up 9
8	baseball	New
9	dragon	New
10	football	New
11	1234567	Down 4
12	monkey	Up 5
13	letmein	Up 1
14	abc123	Down 9
15	111111	Down 8
16	mustang	New
17	access	New
18	shadow	Unchanged
19	master	New
20	michael	New
21	superman	New
22	696969	New
23	123123	Down 12
24	batman	New
25	trustno1	Down 1

There are so many easy ways to create useful and secure passwords, it is almost more difficult to create a bad password. You can read more about how to select and create secure passwords here or here.

Reset SA Password in SQL Server

Sometimes you just need to reset the SA account password in SQL Server. You can easily reset the password in SQL Server Management Studio , but you can also use a Transact_SQL script or command prompt.

Using SQL Script

Step 1: Open the SQL Server Management Studio.

Step 2: Then, open a New Query and copy, paste, and execute the following:

GOALTER LOGIN [sa] WITH DEFAULT_DATABASE=[master]GOUSE [master]GOALTER LOGIN [sa] WITH PASSWORD=N’Password’ MUST_CHANGEGO

Note: The Password is the new password you would like to use with the SA account.

Using command prompt

Step 1: Go to the command prompt of the server and osql –L.

Step 2: Copy full name of SQL Server and type: OSQL -S [servername] -E.

Step 3: Execute the following query: sp_password NULL, ‘[new_password]’, ’sa’.

Step 4: Then, GO.

Reset Password and Disable SQL Server SA Account

When SQL Server is installed on a server, it creates and enables the SA account by default. While modern security recognizes this is a suboptimal solution, it has always been this way so you need to know how to deal with the issue. As with most questions with anything as complex as a database instance, your specific environment may be unique to your requirements.

Generally speaking your SQL Server instance would be configured to only allow for Windows Authentication. There may be times when mixed mode authentication is necessary, usually because of some vendor application requiring some specific user or even the SA account, at which time you will probably have to address how you will secure your default SA account.

Your auditors for PCI or Sarbanes-Oxley will want all user accounts to have passwords that change at least every 90 days, or the account must be disabled. You should make sure nothing uses the SA account, then change the password and disable the SA account. If you need the SA account, you will need to create a process to rotate the SA password on a regular basis. You want the new password to be random and secure from other accounts, and if you must use the account you want it to meet your network password complexity rules.

If you disable the account and plan to never use the account again, not only do you not want anyone else to know the password, you don’t even want to know it yourself. This is a great reason to use a GUID as a impossible to guess password.

SQL Server has an undocumented system stored procedure named sp_SetAutoSAPasswordAndDisable. This stored procedure will do exactly as the somewhat long name suggests: it will reset the password and then disable the SA account.

The procedure takes no parameters, so the syntax for usage is as follows:

EXEC sp_SetAutoSAPasswordAndDisableGO

After the stored procedure completes you should see the standard message:

Command(s) completed successfully.

The actual code is as follows:

ALTER procedure [sys].[sp_SetAutoSAPasswordAndDisable]as  -- can execute only as SysAdmin  if (not (is_srvrolemember('sysadmin') = 1))begin raiserror(15247,-1,-1) return(1)  end-- Begin a transactionBEGIN TRANSACTION  -- Disable Password Policy on the SA Login  ALTER LOGIN sa WITH CHECK_POLICY = OFF  IF @@ERROR <> 0  BEGIN ROLLBACK TRANSACTION RETURN (1)  END  -- Create a New Guid as the random password  DECLARE @randompwd UNIQUEIDENTIFIER  DECLARE @stmt nvarchar(4000)  SET @randompwd = newid()  SELECT @stmt = 'ALTER LOGIN sa WITH PASSWORD = ' + quotename(@randompwd, '''')  EXEC(@stmt)  IF @@ERROR <> 0 BEGIN ROLLBACK TRANSACTION RETURN (1)  END  -- Now set the policy back  ALTER LOGIN sa WITH CHECK_POLICY = ON  IF @@ERROR <> 0  BEGIN ROLLBACK TRANSACTION RETURN (1)  END   -- Now set the policy back  ALTER LOGIN sa DISABLE  IF @@ERROR <> 0  BEGIN ROLLBACK TRANSACTION RETURN (1)  END   -- Commit the transactionCOMMIT TRANSACTION

When you execute this stored procedure the password for the SA account will be reset to a random GUID, and then it will be disabled. Your standard auditors will appreciate this aspect of the change because not only is the password secure, but so is the account itself. You do not know the password, no one knows the password, and the account is disabled. That is as secure as it gets for SQL Server.

If you need to roll your own solution to rotate the password for the SA login, then the sp_SetAutoSAPasswordAndDisable stored procedure may be exactly what you are looking for to begin your customization. Just remember the password must be unique, shouldn’t follow a pattern that can be guessed (server name, MAC Address, etc.), and should be long enough (at least 8 characters long) and complex enough (include uppercase and lowercase letters, numbers, and symbols) to meet the current network security requirements.

Do not use any of the common passwords.

10 Critical Security Habits

We all want our computer systems to be a little more secure, but are you doing everything you should be doing to make that environment secure? Are you developing the security habits you need to make a truely secure environment? In a recent article by Ian Paul, he lists 10 critical secrutiy habits you should have, but probably don’t. You can follow the link to the full article, but the 10 items are:

Use a Password Manager
Use Two-Factor Authenication
Data Backups
Use VPN Tunnels
Secure your Router
Secure Password Recovery Email Accounts
Stop Using Java
Encrypt Everything
Use Anti-Virus and Anti-Malware Tools
Obscure your Webcam

Most of these are common knowledge, but maybe there are one or two items on this list that you haven’t considered? Maybe there is something that should be added to this list? Drop us a note on your thoughts.

The Common Mistakes That Make Your Passwords Weak

In a post by Jeff Fox on State of the Net points out, what is pretty much common knowledge these days is hackers use software to crack your passwords, and the longer the password the harder it is for them to crack. But just because you use a long password does not insure that you have selected a secure password. Turns out there are common patterns that people use that end up making passwords more obvious. Don’t be a victim in 2015, learn to create and use better passwords.

Common Mistakes:

• Starting with an upper case letter followed by lower case letters
• When a password isn’t long enough, adding a letter or two to the base word
• Putting digits, especially two or four of them, before or after the letters
• When a special character is required, using “!” and putting it at the end
• Not using two special characters in the same password

Best Practices:

• Avoid beginning the password with an upper case letter—or maybe even any letter
• Create an acronym using the first letter of each word in a memorable sentence, as suggested by security expert Bruce Schneier: Example: t2cmlp,@yh (“Try to crack my latest password, all you hackers”)
• Resist your natural tendency to mimic familiar words and phrases
• Use multiple special characters (@, ?, !, ~, &, etc.) in the same password
• Don’t always place digits adjacent to each other

Selecting Great Passwords

People continue to pick and use poor passwords. You might not think your password is important, but it is really the only thing between the entire world and your personal online accounts. If you have a password of eight random letters, there are about 200 billion possible passwords. If a hacking program like Hashcat had to try them all, it would be done in about 4 minutes. If you add mixed casing and digits into the mix, you increase the number of possible passwords and by increasing the length to 12 characters we can catapult the number of possibilities to about 4 sextillion. When talking about the number of possibilities which are now available to users, it would take HashCat an estimated lifetime to work through all the possible combinations.

However, this does not take the human factor into account. You want to select a combination of characters that you can remember and isn’t to difficult to enter a few times each day. The password also has to work within the limits imposed by the site or application when you create the password. People wanting to crack your password are aware of those limitations. In fact, there are extensive lists of common password terms available on the internet, sorted by their popularity. The crack programs then will just try those more common words and their common alterations first, and that will allow for increased odds of success in a shorter time.

Using some basic guessing techniques hackers can figure out about 90% of passwords in a list of 2500 sample accounts in just a few hours.

What can you do to beat these hackers?

Don’t use a common password. If you look at the list of common passwords available all over the internet, you want to avoid anything listed on those lists. Keep your password unique to you.
Never reuse a password. Maybe you found the perfect password, so you want to use that new password on all your online accounts. That is a serious mistake because if one account is compromised, all your accounts are compromised. Imagine doing the same thing in the physical world. You could change the locks on your house, car, work office door, parents house, and mailbox locks all to use the same physical key. If that were possible, your life would be easier because every physical lock you would encounter could be unlocked by the same physical key. You only have to carry one key to open or operate anything in your life. But what if the key is lost or stolen? Now everything in your life is subject to attack or theft, and you have to spend a lot of time and money changing all those locks.
Make the password easy to use. A complex password doesn’t have to be difficult to use. If all you need is a long and unique password, you can make almost anything a password. Make-The-Pa55word-Ea5y-To-U5e is also a complex (this 29 character password includes uppercase and lowercase letters, numbers, and symbols) and unique password, and it is also easy to remember and type. You can go to this free website to help you create sample passwords. Another option is to memorize a paragraph from your favorite book or lyrics from a favorite song and then use the first letter of each word as your new password. “So your girlfriend rolls a Honda / Playing workout tapes by Fonda / But Fonda ain’t got a motor in the back of her Honda / My anaconda don’t want none unless you’ve got buns, hon.” – Sir Mix-a-Lot, “Baby Got Back” becomes a somewhat simple password of SygraHPwtbFBFagamitbohHMadwnuygbh, which is a 33-letter combination of upper and lower case letters.
Change your password often. You might think your password is great, but remember any password can be guessed it the hacker has enough time to try all possible combinations of letters, numbers, and symbols. Even if it might take a hacker 5 years to guess your password, if you haven’t changed your password in 5 years, he might have guessed your password by now. I suggest you change all your passwords at least every year. If the data the password is protecting is really valuable (customer data, banking accounts, etc.) you probably want to change the password at least every 90 days.

Password security isn’t impossible, once you understand what you have to do to pick a great password. Do you have any tips for passwords that you want to share? Leave a comment below.

Over a Billion Stolen Internet Passwords

The New York Times reports that a Russian gang has reportedly amassed a cache of over one billon stolen internet accounts by hacking internet accounts using malware and other techniques.

A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses, security researchers say.

The records, discovered by Hold Security, a firm in Milwaukee, include confidential material gathered from 420,000 websites, including household names, and small Internet sites. Hold Security has a history of uncovering significant hacks, including the theft last year of tens of millions of records from Adobe Systems.

Hold Security would not name the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable. At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic. Another computer crime expert who had reviewed the data, but was not allowed to discuss it publicly, said some big companies were aware that their records were among the stolen information.

This is a serious security issue, and indicates why you need to be changing your passwords, and using complex unique passwords. You can read more about how to create a safe password here, and what makes a password safe here. Don’t let your accounts be compromised because you used a stupid password.

Password Security

After all the news on Heartbleed, the subject of password security has risen up to a higher level than normal. Th average person only uses passwords because they have to, not because they think anyone wants to attack or compromise there accounts. If you ask people if they are concerned about weak passwords and if they think their accounts are safe from attack, they will tell you that no one wants to gain access to their accounts. Maybe that is true, but if you have access to something they want, they want access to your accounts.

While no one probably wants access to your Facebook or LinkedIn account, they do want access to your banking or corporate accounts. If they can breach one of your accounts, that often is a stepping stone to gain additional access until they can control all your accounts. Sadly, many people use the same password for their Facebook account as they use for banking, email, and corporate accounts. So if one account is breached, they also gain access to all your internet accounts.

If you have access to sensitive information, you should take the security of that information seriously. Use complex passwords, change the passwords often, and be mindful of potential security issues.

The first thing people will complain about when they are forced to create complex passwords is their inability to remember such long and complicated passwords. People will usually write their passwords down and ‘sticky-note’ them to the side of computers, underneath keyboards, or even inside desk drawers. The disconnect between online security and physical security seldom collides in the minds of average users. That’s why you need to offer some basic solutions.

Keep It Simple – There’s no need to reinvent the wheel for this process. Pick an established memory device or an actual piece of software to assist you in keeping track of your passwords. You can download a piece of software that keeps track of all your passwords for you, and they keep those passwords secure with just one password you use to access them all. You only have to remember one master password to get into the library of saved passwords. And the passwords generated by those applications can be ridiculously long and complicated – so it’s a good security device that is easy for you to use.
All or Nothing – Secure all of your internet accounts. Don’t consider some accounts unimportant or less important than others. As we have already discussed, one weak account can be used to gain access to other accounts until all of your accounts are compromised. Try to add all your accounts to your new password system over a weekend or two until all accounts are secure. Start with your email accounts and move to the banking and other high-risk accounts first, then move to your most used accounts and eventually down to the infrequently access accounts last. Make sure any new accounts are included in the new process as you move forward.
Separate your Accounts – Never use the same password on multiple accounts. Never use your corporate network username or password for any private internet accounts. If a hacker is attacking your company and sees your corporate account is used on the internet they may leverage the internet account to gain access to your corporate network.
Change Schedule – Create and keep a regular schedule for updating passwords and checking the security of your accounts. Hackers will be constantly attacking weak systems and attempting to gain access to your accounts. Sometimes they are able to compromise systems and gain access to user accounts for weeks before you are notified by the site that they have been compromised. If you are changing your account passwords fairly often, the windows during which an attacker might have your current password is reduced. For you to remain secure, change your passwords a couple times a year minimum. Some companies require you to change your password every 90 days. As long as you monitor activity and use a system to change your passwords regularly you should have a greatly reduced level of risk.

If you have access to sensitive or confidential information, like you would as a Database Administrator, you have the responsibility to take your security seriously and be diligent in maintaining a high degree of security.

The Math Behind Good Online Passwords

When incidents like ‘Heartbleed’ happen, the focus often turns to advice written about what to do: “be sure to immediately change your passwords…”, “Follow these 10 tips to stay safe online…”, etc. You’ve seen these types of stores, but you might not understand what it takes to create a “safe” password, and the math behind that process.

Usually these safety warnings and security tips seem to fall on deaf ears. Data from previous password breaches show that people are still routinely using common passwords like “password” “qwerty”, “letmein”, or even “123456.” There’s math behind why passwords like those are are weak and why others, like “p@s$w0rdD0gB1t3” are strong. The good news is that creating more secure passwords might be as simple as adding two more characters.

You can watch a quick video on passwords here.

The Basics

Organizations usually store passwords in one of two ways:

Plain Text – Plain text storage means that an intrusion of the database would give away complete login details, full username and password – not a good idea.
Hashes – Hashes provide an extra layer of security because the actual text of the password is not stored.

Hash operations are one-way mathematical formulas that take input, like a password or other at-risk data, and transform it into a hash (see example table below). The beauty of the hash is that it’s very difficult to get the original password from just the hash value. You are able to turn a password into a hash very easily, but it’s impossible to turn a hash into a password. It’s a one-way street.

Username	Password Hash
johnsmith69@internetdomain.com	2ac9cb7dc02b3c0083eb70898e549b63
janedoe12@internetdomain.com	2455640b3bb59c197e714c8600dff64c
jijayda2341@internetdomain.com	b194a20eb542608fb54b17ce8f4a77e1

Systems typically store passwords as one-way hashes, like the ones above, so when a user tries to log in using their password that login text is transformed into the corresponding hash and cross referenced against the hash stored in the system for that user.

How Do Hackers Get Passwords?

Sometimes a hacker will exploit a vulnerability in the system and get access to the data in the table above. The hacker has his hands on the usernames and the password hashes but needs the actual password to login in to the account.

Remember, it’s impossible to go backwards from the hash to password. The hacker’s only option is to “go forward”. He needs to guess the password as many times as he needs to while performing the same hash-producing mathematical operation (with computer-generated guesses) on a variety of passwords until the right hash is produced.

For example, using johnsmith69@internetdomain.com, the hacker might perform the hash operation on the commonly used password, like “Password”, and get the following result: “dc647eb65e6711e155375218212b3964”, which according to the table above is not a correct hash match, thus not the right password. The hacker’s computer keeps trying and trying, with billions of random and commonly known passwords (called a dictionary attack) until it arrives at “Password1” using our example above, matches the hash in the table above:“2ac9cb7dc02b3c0083eb70898e549b63.” Now the attacker knows that johnsmith69@internetdomain.com’s password is “Password1” and the attacker can now log into that account with that username and password combination. Although this may seem laborious, a computer can easily guess over 1 billion passwords per second.

You can see, from a SQL Server database development perspective, how easy it is to hash a list of words.

How Long Does It Take To Crack Your Password?

The short answer: it depends. Let’s just say very quickly, if your password is weak.

If your password is eight characters long and all lower-case, like “password,” it would take a hacker 3.5 minutes to guess it.
Changing one of those lowercase characters to an uppercase character, like “Password,” means it would take him almost 15 hours.
Replacing any letter with a special character and keeping the uppercase character, like “P@ssword,” means it would take the hacker 70 days to guess your password.
If you added a single character to “P@ssword” to form “P@ssword1” it would take the hacker 18 years to guess the password.
If you added two characters to “P@ssword,” to form “P@ssword11” it would take the hacker 1,707 years to guess the password.

And so forth until you arrive at some astronomical numbers.

See the table below:

	8 character	9 character	10 character	11 character	12 character
LC	208 seconds	90 minutes	39 hours	42 days	3 years
LC & UC	14 hours	32 days	4.5 years	238 years	12,394 years
LC & UC & Digits	2.5 days	.5 years	26 years	1,650 years	102,304 years
LC & UC & Digits & SC	70 days	18 years	1,707 years	169,546 years	15,091,334 years

LC = lowercase
UC = uppercase
SC = special characters (!@#$%^&*, etc.)

You’ll see the larger values in the bottom right corner of the table. If your password is 12 characters long, contains uppercase and lowercase characters, a digit and a special character it may take over 15 million years for a hacker to guess your password. This is the simple math behind blanket recommendations to increase your password complexity.

NOTE: The math in the above assumes the hacker is randomly generating password guesses. If they are using a dictionary of common words or common passwords, these times could be significantly faster.

What Makes a Password Secure?

Above, we tackled the basics about password storage, the value of hashes and then calculated how long it takes a hacker to get your password using brute force cracking – as quickly as 3.5 minutes in some cases. What we hope you got out of that information is that the longer and more complex your password is (complex as defined as containing an uppercase character, lowercase character, number and special character) the longer it takes a hacker to crack your password.

A 12-character password with each of those elements would take as long as 15,091,334 years to crack with a single computer.

For many people, 15 million years of “protection” might create better peace-of-mind. However, the unfortunate reality with online passwords is that even these long and complex passwords are susceptible to cracking. Here’s why:

In order for a password to be considered secure, it needs to be truly random and unique.

What Is Truly Random?

Many people often choose a base word for their password, like “password,” and transform it to be logically “complex.” So they’ll replace letters with special characters or digits and add some capitalizations. So a password that was “password” becomes P@55w0rD. In fact, if each letter could be one of an uppercase, lowercase, or special character, there are 6,561 (3⁸) versions of “password” – which is far from an unbreakable amount.

Thus, a hacker using a brute force technique isn’t just going to start with “aaaaaaaa” and go down the list, “aaaaaaab”, “aaaaaaac”, etc. He is going to apply intelligence to the cracking. That intelligence most often involves using common base words, known as a dictionary attack. So not only will he try cracking the very simple “password” but also all 6,561 versions, to include the complex “P@55w0rD”.

There are approximately 220,000 dictionary base words, meaning that even if you added up to three extra digits to your transformed, base-word-based password and formed something like “P@55w0rD123,” a computer would take about 26 minutes to crack it – no matter how long the password is. With complete randomness in a password, hackers can’t make common base word assumptions about your password and cut down the brute force space.

But that’s not all. A secure password must also be unique.

What Is Unique?

Unfortunately, some companies still store actual text passwords in their databases instead of the hashes so if a hacker gets into the system, he now has more base words to add to his roster. So if you use the same password, or even base word, for two accounts and one of those is compromised, no matter how long or random it is, that hash and password are now known. The hacker can then log in to any account that you are using the same password for. This also means that if someone else uses your password, or some version of it as outlined above, you could be compromised.

What Do I Do?

Make sure all of your passwords are truly random.
Make sure none of your passwords are used by anyone else or re-used by you.

How do you do something that seems so complicated? Let’s assume for a moment that all 7 billion people in the world have 100 online accounts and have used a different password for each. That means we would need 700,000,000,000 truly unique passwords in the world. In order for there to be less than a .0001% chance that you have the same password as someone else, you’d need to choose from 7 quintillion passwords, that’s 7,000,000,000,000,000,000. That may sound like a lot, and that’s because it is. If you’re using a Standard English keyboard (94 characters) that’s a 16 character password, which would take 1 quadrillion years to brute force crack, and can’t be circumvented by a shortcut.

Since you cannot control what companies do with your password, we recommend having at least a 16 character truly random and unique password so the hacker can’t leverage someone else’s password to figure out yours and has to do the hard work (read 1 quadrillion years) to figure it out.

How is anyone supposed to remember such complex passwords?

The obvious answer is online password managers. Which is what everyone recommends but usually never tell you why. Using these simple services you only have to remember one password, and make it really good! The only shortcut to getting to your password now is to gaining physical access to your computer itself – another security issue all together. The online password manager software remembers the rest for you. In fact, it might even be more convenient for you since you now only have to remember one password. And it’s more secure than your average web site.

Since each solution has their own advantages and work for different platforms, it’s difficult to recommend just one you for you specifically. Try a few for yourself and see which package you prefer. Once you have installed and configured the software, you will find they are easy to use and help keep your internet experience a safer and more secure experience.

This is a quick list of popular password managers.

Think Security.

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Azure Portal

PowerShell

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Azure Portal

PowerShell

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Using SQL Script

Using command prompt

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

The Basics

How Do Hackers Get Passwords?

How Long Does It Take To Crack Your Password?

What Makes a Password Secure?

What Is Truly Random?

What Is Unique?

What Do I Do?

How is anyone supposed to remember such complex passwords?

Share this:

Like this: