Last week Sentrigo brought a security hole in SQL Server to my attention. The issue is simply that SQL Server stores passwords in clear text in memory, so it’s quite possible to sniff the memory to retrieve passwords of other users. That in itself doesn’t sound dangerous at first glance because you have to have system admin rights in the database to do this. However, there are two basic situations where this could be horrendous.
Because most users have the same password, once you gain access to this password, you’ve gained access to all the boxes that account is on. This works on only native SQL passwords, not on Windows passwords. This is because when you use a Windows account to log into SQL, you don’t give it a password; you only pass in your security token, and there’s no password to steal. With SQL passwords, however, you pass in the SQL username and password, and this combination is stored in clear text in memory.