Press "Enter" to skip to content

Category: Security

PostgreSQL Removing MD5 Hashing for Authentication

Published 2026-05-18 by Kevin Feasel

Lukas Vileikis covers the consequences:

In late 2024, a message by Nathan Bossart hit the database spotlight. Within it, he proposed a “multi-year, incremental approach to remove MD5 password support from PostgreSQL.”

Before we dive in completely, let’s establish one important thing first: what exactly is MD5?

One thing I strongly disagree with: Lukas’s comment that “A decade or so ago, when computing power was far smaller than it is now, MD5 was considered an ‘okay’ hashing mechanism.” There were MD5 rainbow tables readily available 15 years ago and people already realized MD5 was not good for password hashing, even with a salt. To the extent that these platform vendors thought it was “okay” a decade ago, they were already way out of date.

Leave a Comment

Eleven CVEs for PostgreSQL

Published 2026-05-15 by Kevin Feasel

Christophe Pettus takes us through just shy of a dozen security issue fixes:

PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are out as of May 14, 2026. The release fixes eleven security issues and more than sixty bugs. That is not a typo. Eleven CVEs is the largest single-release security batch I can remember, and three of them are CVSS 8.8 with practical exploitation paths. Patch this week. If you can patch tomorrow, patch tomorrow.

Click through for a rundown.

Leave a Comment

Managed Identities in SQL Server 2025

Published 2026-05-06 by Kevin Feasel

Greg Low offers another security option for service management:

Those who have worked with SQL Server will understand the need to avoid storing passwords for accessing resources. Windows-based identities are fine for on-premises SQL Server systems, including those on cloud-based virtual machines (VMs), but are of no use when you need to access cloud-based resources like those in Azure.

Some Azure-based resources (including storage accounts) offer other access methods, such as shared access signatures (SAS), but these aren’t much of a step-up from passwords.

What’s really needed is for SQL Server to have its own Microsoft Entra based identity. These can be used directly with Azure-based resources – and that’s exactly where managed identities come in.

Click through to see how it works. Importantly, this is a feature that requires additional payment.

Leave a Comment

A Primer on Group Managed Service Accounts

Published 2026-05-04 by Kevin Feasel

Randy Knight shows off a useful feature in Windows:

Service account management is one of the quietest ways a SQL Server estate goes wrong. Passwords get set once during install, written down somewhere (or worse, not written down), and then never rotated. The DBA who built the environment leaves. A security audit shows up. Suddenly you’re staring at a hundred service account passwords nobody remembers, and the prospect of changing them all on a maintenance window nobody wants to schedule. Group Managed Service Accounts (gMSAs) solve this.

They’ve been a fully supported option for SQL Server since 2014, they work with Failover Cluster Instances and Availability Groups, and Active Directory rotates the passwords for you on a schedule you control. We use them by default on every new SQL Server build at SSG.

And yet, in a decade of Health Checks, we still rarely see them deployed. The most common reasons we hear: “I tried it once and SPNs broke,” or, “I wasn’t sure it would work with our AG.” Both are addressable. Here’s what you need to know to deploy gMSAs successfully.

gMSAs are very useful at providing a managed identity for on-premises solutions. You don’t need to save passwords anywhere but still have full control over who’s allowed to access a given resource.

Leave a Comment

Dropping Users and Stale EXTERNAL MODEL Permissions

Published 2026-05-01 by Kevin Feasel

Andreas Wolter sees a cache invalidation issue:

When identity or permission boundaries behave inconsistently – even under specific lifecycle conditions – that is more than a product bug. It becomes a security-relevant design issue, because security depends not just on how access is granted, but also on how reliably it is revoked.

While investigating the new permission model introduced alongside SQL Server 2025’s AI integration and vector search capabilities (Article: New Permissions in SQL Server 2025), I encountered a case where EXTERNAL MODEL permissions can persist after a user is dropped, creating stale authorization state.

Click through to learn more about this issue and what it means.

Leave a Comment

Microsoft Fabric Eventstream Network Security Features

Published 2026-04-22 by Kevin Feasel

Alex Lin looks at network security features:

Eventstream in Fabric Real-Time Intelligence stream data from both inside and outside the Fabric platform. When your external sources sit behind firewalls or in private networks, choosing the right network security feature is essential. This post breaks down the available options in Eventstream and helps you determine which one fits your scenario.

Click through for more information.

Comments closed

New SQL Server CVEs

Published 2026-04-20 by Kevin Feasel

Rebecca Lewis takes a look at a few more vulnerabilities Microsoft has patched in SQL Server:

This week’s Patch Tuesday landed three new SQL Server CVEs. Two are elevation-of-privilege bugs — familiar territory, we had three of those last month. The third one is different. CVE-2026-33120 is a remote code execution flaw in SQL Server 2022. CVSS 8.8. An authenticated, low-privileged login on the network can execute arbitrary code on your SQL Server.

Go. Patch. Now.

Click through for more information and be sure to get these patched.

Comments closed

Cracking SQL Server 2025 SQL Auth Passwords with hashcat

Published 2026-04-17 by Kevin Feasel

Vlad Drumea has a great post:

Last year I wrote about SQL Server 2025’s new PBKDF2 hashing algorithm: what that means from a security perspective, as well as how it impacts online cracking.
And even how to enable it in SQL Server 2022.

Vlad created a module that cracks SQL Server 2025 passwords offline (versus actually connecting to the SQL Server instance itself and extrapolates it to online cracking (connecting to the SQL Server instance and trying different passwords). Vlad has some really good news on the whole and this post serves to explain why Microsoft introduced PBKDF2 as part of the hashing algorithm for SQL Server 2025.

Comments closed

Preventing SQL Injection in Stored Procedures

Published 2026-04-16 by Kevin Feasel

Vlad Drumea fixes a procedure:

In the past few years, I’ve seen quite a few stored procedures that rely on dynamic T-SQL without properly guarding for SQL injection.

Some cases were reporting stored procedures, while others were maintenance type stored procedures (e.g. stats updates) that could be kicked off from the app, or even stored procedures that handled app upgrades/patching.

In all these cases, certain portions of the dynamic T-SQL relied on input provided by users via input parameters.

Read on for an example. The solution is still the classic combination of QUOTENAME() and sp_execute_sql whenever you have user input.

Comments closed

Syncing Logins across Failover Groups for Managed Instances

Published 2026-04-15 by Kevin Feasel

Andy Brownsword gets replicating:

Failover Groups for Managed Instances are a great option to replicate data, but they don’t replicate key instance elements – one of which is logins that live in the master database. If left unchecked, failovers leave systems unable to connect and panic ensues.

To alleviate this we’ll look at a script to synchronise logins and permissions across replicas.

Click through for a link to the script and an explanation of what’s going on with it.

Comments closed