The rumor was that SQL Server passwords are case insensitive?

by Michael S. Kaplan, published on 2007/02/16 03:01 -05:00, original URI:

Trevor's question:

I heard a rumor that passwords in SQL Server are case insensitive. Is that true? If it is, isn't that a bug?

When I read Trevor's question I was reminded of that telephone game where you get to see how much the message changes as it goes from person to person.

Or in this case, from blog to blog?

The basic problem is that if you are running SQL Server:

that the server will (in addition to hashing the case-sensitive password value you assign) hash an all uppercase version of whatever you set. No exactly same as being case insensitive, but technically close.

You can read about if you go to blog posts like this one.

Note that they addressed this issue in SQL Server 2005 and no longer do this.

And also note that if you paid attention to posts of mine like this one, then you'd never hit the problem (since your server wouldn't be case insensitive).

And finally note that if you used only used NT integrated logons (which are more secure anyway) then SQL Server also wouldn't be doing this.

Summary: if you were doing the right thing, you'd never even notice a problem.... :-)


This post brought to you by  (U+0a0a, a.k.a. GURMUKHI LETTER UU)

no comments

Please consider a donation to keep this archive running, maintained and free of advertising.
Donate €20 or more to receive an offline copy of the whole archive including all images.

go to newer or older post, or back to index or month or day