Microsoft KB Archive/818145

= How To: Avoid Sending Password in Clear Text When Connecting to SQL Server by Using SQL Authentication =

Article ID: 818145

Article Last Modified on 5/30/2003

-

APPLIES TO


 * Microsoft Data Access Components 2.5
 * Microsoft Data Access Components 2.6
 * Microsoft Data Access Components 2.7

-



SUMMARY
This article discusses the different ways a client application can prevent sending passwords in clear text when connecting to SQL Server by using SQL Authentication.



MORE INFORMATION
One option is to use Microsoft Data Access Components (MDAC) version 2.6 or later versions on the client side, and to use Secured Socket Layer (SSL) with SQL Server 2000. This way, the MDAC 2.6 client will send encrypted passwords over the wire to SQL Server.

A second option to protect passwords sent over the wire to SQL Server is to use obfuscation. Password obfuscation means that the password will not be sent in clear text to the server. Password obfuscation could be achieved by using MDAC 2.6 (or later) on the client side against SQL Server 2000 (without using SSL on the SQL Server side).

Note the following about MDAC 2.6 and later versions:
 * By default, MDAC 2.6 and later versions always send obfuscated passwords to the server (SQL Server version 7.0 or later).
 * MDAC 2.6 and later versions support using SSL when connecting to SQL Server 2000. This is the most secure solution.

