Encryption: The password is not encrypted anymore

• 
  Are you referring to the script generated in the Restore Wizard? If so, then yes, the password in the script is no longer encrypted. In fact, SQL Backup will no longer accept encrypted passwords for a RESTORE process.
  
  Here's the reason:
  
  In general, users feel comforted when they see something like this
  
  RESTORE ... WITH PASSWORD = ''<ENCRYPTEDPASSWORD>iSOZ</ENCRYPTEDPASSWORD> ''
  
  and get careless with the script. Perhaps they think it's no big deal if the public sees it. However, if a 3rd party gets hold of your backup files, they can simply use the same script to perform the restore, WITHOUT having to know your actual password (12345).
  
  By not encrypting the password anymore, we hope users will then secure their scripts appropriately. Really, we do not want to give them a false sense of security.
  
  So, you can make a backup with an encrypted password, and another user using SQL Profiler might capture your command (with the encrypted password), but he will be unable to restore the backup if he does not know the actual password.

  petey January 20, 2006 11:37

  - 0 +
• 
  Hi ;
  
  Yes, I was talking about the Restore Script generated by the SQL Backup API.
  
  Now, I know we have to encrypt the Restore Script completely if we don't any one to hold of it.
  
  One more thing, If someone see the Restore command into Profilier then he will know the password to restore the backup file as well.
  
  thanks

  essamughal January 20, 2006 11:46

  - 0 +
• 

  One more thing, If someone see the Restore command into Profilier then he will know the password to restore the backup file as well.

  
  That's the idea, to make people aware of issues when the passwords are in the clear. Makes users more cautious.

  petey January 20, 2006 11:52

  - 0 +

Add comment

Please sign in to leave a comment.