SQL Server
United States (English) Sign in
Home 2012 2008 R2 2008 Previous Versions Library Forums
1 out of 2 rated this helpful - Rate this topic

PWDCOMPARE (Transact-SQL)

SQL Server 2012

Hashes a password and compares the hash to the hash of an existing password. PWDCOMPARE can be used to search for blank SQL Server login passwords or common weak passwords.

Topic link icon Transact-SQL Syntax Conventions

Copy 

          

PWDCOMPARE ( 'clear_text_password'
   , password_hash 
   [ , version ] )
' clear_text_password '

Is the unencrypted password. clear_text_password is sysname (nvarchar(128)).

password_hash

Is the encryption hash of a password. password_hash is varbinary(128).

version

Obsolete parameter that can be set to 1 if password_hash represents a value from a login earlier than SQL Server 2000 that was migrated to SQL Server 2005 or later but never converted to the SQL Server 2000 system. version is int.

Caution note Caution

This parameter is provided for backwards compatibility, but is ignored since password hash blobs now contain their own version descriptions. This feature will be removed in the next version of Microsoft SQL Server. Do not use this feature in new development work, and modify applications that currently use this feature as soon as possible.

int

Returns 1 if the hash of the clear_text_password matches the password_hash parameter, and 0 if it does not.

The PWDCOMPARE function is not a threat against the strength of password hashes because the same test could be performed by trying to log in using the password provided as the first parameter.

PWDENCRYPT is available to public.

CONTROL SERVER permission is required to examine the password_hash column of sys.sql_logins.

A. Identifying logins that have no passwords

The following example identifies SQL Server logins that have no passwords.

Copy 
SELECT name FROM sys.sql_logins 
WHERE PWDCOMPARE('', password_hash) = 1 ;

B. Searching for common passwords

To search for common passwords that you want to identify and change, specify the password as the first parameter. For example, execute the following statement to search for a password specified as password.

Copy 
SELECT name FROM sys.sql_logins 
WHERE PWDCOMPARE('password', password_hash) = 1 ;
Did you find this helpful?
(1500 characters remaining)

Community Additions

ADD
© 2013 Microsoft
|
Site Feedback
© 2013 Microsoft. All rights reserved.