INF: SQL Server 7.0 Clients Can Send Encrypted Password Strings (252660)


The information in this article applies to:

  • Microsoft SQL Server 7.0
This article was previously published under Q252660

SUMMARY

To prevent someone from being able to view a password in clear text, standard SQL Server ODBC connections to a SQL Server 7.0 server appear encrypted in a network trace.

MORE INFORMATION

If the ODBC client is using the 3.70.0623 SQL Server driver, or later, and is also using standard SQL Server security, the user password that is sent is encrypted if the following conditions are true:
  • The ODBC client has previously established a connection to the server.
  • The ODBC client is using the SQL Server Driver 3.70.0623, or later.
The encryption algorithm used is not strong, does not use a 128 bit algorithm, and is not recommended for connections across the internet.

Initial connections to a SQL Server 7.0 server send the 6.5 login packet and the password is visible. After a connection is established, the client updates the following registry key with the server name and the SQL Server 7.0 string:

HKLM\Software\Microsoft\MSSQLServer\Client\TDS

After the registry key is updated, future connections from the client to the server encrypt the password string.


Microsoft SQL Server 2000 network libraries support strong encryption through Secure Sockets Layer (SSL).
Modification Type:MajorLast Reviewed:4/27/2001
Keywords:kbDSupport kbinfo KB252660
©2002 Microsoft Corporation. All rights reserved.