I am pretty sure this is incorrect.

[BillMcNabb]

"When SQL Server logins are used, SQL Server login names and passwords are passed across the network, which makes them less secure." You are not doing anyone any favors with comments like this. Passwords are supposedly hashed and not sent in clear text. If this is not true, please let me know. If it is true, please be more specific.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 8534d363-5147-4022-82d0-a4a3346040b2
• Version Independent ID: 81d6e039-1ad5-90d1-3707-fb7a5c7a0e16
• Content: Authentication in SQL Server
• Content Source: docs/framework/data/adonet/sql/authentication-in-sql-server.md
• Service: unspecified
• Product: dotnet-framework
• GitHub Login: @douglaslMS
• Microsoft Alias: douglasl

[douglaslMS]

#in-progress

[douglaslMS]

@BillMcNabb You're right that the quoted statement could leave a reader with questions. We will clarify to say that "ENCRYPTED passwords are passed across the network." However, since encryption can be broken, I believe the statement that passing passwords (SQL auth) as opposed to NOT passing passwords (Windows auth) is less secure, is a valid cautionary statement. How else would you improve this language?

[BillMcNabb]

Hello Douglas, Yes that would be fine. The problem I have is there is so much misinformation on the internet. And, I am dealing with an auditor that is claiming SQL Server Auth passwords are sent in clear text. This document was the newest I could find, but it did not make it clear that passwords are not sent in clear text. Thank you, Bill From: Douglas Laudenschlager [mailto:notifications@github.com] Sent: Monday, May 21, 2018 3:48 PM To: dotnet/docs <docs@noreply.github.com> Cc: BillMcNabb <bm1000@comcast.net>; Mention <mention@noreply.github.com> Subject: Re: [dotnet/docs] I am pretty sure this is incorrect. (#5534) @BillMcNabb <https://github.com/BillMcNabb> You're right that the quoted statement could leave a reader with questions. We will clarify to say that ENCRYPTED passwords are passed across the network." However, since encryption can be broken, I believe the statement that passing passwords (SQL auth) as opposed to NOT passing passwords (Windows auth) is less secure, is a valid cautionary statement. How else would you improve this language? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#5534 (comment)> , or mute the thread <https://github.com/notifications/unsubscribe-auth/AlrEV4ran9RFuhH8IYh53QT-iKIuck62ks5t00QVgaJpZM4UHrJo> . <https://github.com/notifications/beacon/AlrEV2eDDnFH_ugRpwurdCSlV3xC2gPMks5t00QVgaJpZM4UHrJo.gif>

[douglaslMS]

@BillMcNabb First, I empathize with your situation. Second, I agree that the results of a web search are ... inconsistent. The confusion's made worse by the fact that two-thirds of the results are about saving an encrypted password locally or in app settings, rather than about sending an encryypted password. When you talk about sending SQL logins, is the sender SSMS, or a client app probably written using ADO.NET, or a web app? It seems to me that the answer could theoretically be dependent on the sending app and its settings.

[douglaslMS]

@BillMcNabb This issue has been closed because I resolve the ambiguity in the article that was the doc issue you raised. However if you want to answer any of my previous questions I can double-check a little further. The article mentioned in this issue describes ADO.NET and therefore the SqlClient provider sending logins. That might not be your scenario.