Cody Konior looks at a case where SMO can leak SQL authentication passwords:
SMO connects to SQL Server using the ADO.NET SQLClient library which has 13+ years of features which help mask the passwords you pass in for SQL Authentication. SMO bypasses some of those features to often leak the passwords in clear-text.
- Even where it would normally be hidden.
- Even where you use
Persist Security Infointroduced in 2005.- Even where you use
System.Security.SecureStringintroduced in 2012.- Though thankfully not where you use
System.Data.SqlClient.SqlCredentialalso introduced in 2012. However… there’s some caveats here too.We’ll prove it through repeatable tests that can be used to track if Microsoft fix the problem or not.
Read the whole thing.