Encryption: The password is not encrypted anymore

essamughalessamughal Posts: 35
edited January 20, 2006 11:52AM in SQL Backup Previous Versions
Hi Brian;

I am testing Version 4 now, what I noticed in encryption, in version 3 the password was encrypted in script as well. But, now it is not encrypted anymore.

In version 3 it was :

PASSWORD = ''<ENCRYPTEDPASSWORD>iSOZ</ENCRYPTEDPASSWORD> ''

In version 4 it is :

PASSWORD = ''12345''

12345 is the password which was provided at the time of taking backup.

So, is there any setting which I have to do to encrypt the password in the script or that feature is gone in version 4. :?:

Thanks
Essa

Comments

  • peteypetey Posts: 2,358 New member
    Are you referring to the script generated in the Restore Wizard? If so, then yes, the password in the script is no longer encrypted. In fact, SQL Backup will no longer accept encrypted passwords for a RESTORE process.

    Here's the reason:

    In general, users feel comforted when they see something like this

    RESTORE ... WITH PASSWORD = ''<ENCRYPTEDPASSWORD>iSOZ</ENCRYPTEDPASSWORD> ''

    and get careless with the script. Perhaps they think it's no big deal if the public sees it. However, if a 3rd party gets hold of your backup files, they can simply use the same script to perform the restore, WITHOUT having to know your actual password (12345).

    By not encrypting the password anymore, we hope users will then secure their scripts appropriately. Really, we do not want to give them a false sense of security.

    So, you can make a backup with an encrypted password, and another user using SQL Profiler might capture your command (with the encrypted password), but he will be unable to restore the backup if he does not know the actual password.
    Peter Yeoh
    SQL Backup Consultant Developer
    Associate, Yohz Software
    Beyond compression - SQL Backup goodies under the hood, updated for version 8
  • Hi ;

    Yes, I was talking about the Restore Script generated by the SQL Backup API.

    Now, I know we have to encrypt the Restore Script completely if we don't any one to hold of it.

    One more thing, If someone see the Restore command into Profilier then he will know the password to restore the backup file as well.

    thanks
  • peteypetey Posts: 2,358 New member
    One more thing, If someone see the Restore command into Profilier then he will know the password to restore the backup file as well.

    That's the idea, to make people aware of issues when the passwords are in the clear. Makes users more cautious.
    Peter Yeoh
    SQL Backup Consultant Developer
    Associate, Yohz Software
    Beyond compression - SQL Backup goodies under the hood, updated for version 8
Sign In or Register to comment.