About Microsoft Visual SourceSafe security

About Visual SourceSafe Passwords and Security

This page discusses Visual SourceSafe security issues about and a few misconceptions about SourceSafe passwords.

Does Visual SourceSafe send clear text passwords over the network?

No. SourceSafe is a distributed client application. Each client accesses directly the VSS database; all passwords validations are done on client machines. The user typed-in password is hashed on the client machine and the hash is compared locally against the hash read from the VSS database. Note however that when 3rd party applications that provide remote-VSS functionality are used (client-server applications), those applications need to send the passwords to the server. They may or may not send the password over a secure channel... VSS 2005 Internet plugin does not send the password unless a secure channel is used (SSL). When http connections are used, the user can only login using automatic logon with Windows username (if the database is configured to allow such logins).

I forgot my SourceSafe or Admin's password, can I recover it?

In most cases, no. Visual SourceSafe creates a 16-bit hash of the password typed by users and stores in the database only the hash. For a particular hash value there are millions of password combinations that produce the same hash. Because of this, recovering the exact password is impossible in most cases. Note however that if the VSS password is chosen to be a simple word or a name (and a hacker knows this fact), a dictionary attack can be used to reduce the number of the matching combinations. My estimation is that a dictionary attack will find 2-3 words that will match such SourceSafe password.

Should Windows passwords be reused for SourceSafe passwords?

Microsoft recommends on MSDN that you should not use the same password for your operating system password and your VSS password. This is a good advice. It's unlikely a hacker will use the VSS password hash to recreate the Windows password (You're a smart user that doesn't use weak dictionary words for your Windows password, right?). However, there are cases in which you might want to write for convenience the VSS username and password in batch files or sources to use SourceSafe command line or VSS automation, and using there the OS password is going to be a bad idea. Also, if you use 3rd party applications to access the SourceSafe database you can't guarantee how those will use the password. So, it's better to be safe then sorry and pick a different password.

How easy is to hack SourceSafe passwords scheme?

Reseting or bypassing Visual SourceSafe passwords is really easy.

Someone with knowledge of the password hashing algorithm could write a program that reverses the password hashes from um.dat and find first working password that will produce the same hash. I wrote such program once and you can get working password for all user accounts of a SourceSafe database in fractions of a second...

A hacker could use a dictionary-attack atempt on a specific user's password. The success of the method depends on how big the dictionary is and how long is the original password. Having knowledge of the hashing algorithm is a plus, but it's not required. A hacker could use SourceSafe's API (IVSSDatabase.Open function) and attempt the login until it succeeds. For instance, John S. Reid's VssPassword recovery tool below scans about 12000 combinations per minute, and it solved one password combinations in less than 3 seconds (however, it was not able to find my preferred password after exhausting the dictionary - but a hacker will use for sure a much larger dictionary...)

A determined hacker targeting VSS doesn't even need all these. He can simply hack the VSS Binaries and alter them to either bypass the password validation code, or even easier to bypass the login dialog altogether.

But someone doesn't have to be a hacker to get access to a SourceSafe database. All he has to do is search on the Internet what other users did when they forgot their SourceSafe Admin passwords, and he will find in a couple of minutes or hours a way to break into a SourceSafe database. It took me 2-3 hours to search the net and gather all the information below about resetting or recovering Admin password; I could even download programs to reset the Admin password.

How to reset or recover the SourceSafe Admin's password?

Below I've listed a couple of methods and programs I've found on the Internet that can be used to reset the VSS Admin account password.

A couple of users have got access by overwiting um.dat file with one from a new database. See here and here for such examples. I would not recommend doing that though. You'll cause database corruption in the rights assigment and in existing users list. You'll lose any users except Admin and Guest.
Other users got access by overwriting um.dat, deleting rights.dat, fixing database corruption, etc. See here an example. The downside of this method is that you have to recreate all the users. You also lose all the rights asignments.
Other users have altered um.dat by editing it with a binary editor. See here a solution recommending complete overwrite of the Admin user's record. The method causes a slight database corruption (Admin's rights ID is not always 1A8 and is overwritten); analyze tool doesn't detect this corruption and doesn't fix it.
Another method editing um.dat is proposed by Paul Gurtler here. A source in C is provided to reset the Admin password. The program ovewrites the Admin's password hash and the checksum of the Admin user's record, and doesn't seem to produce database corruption.
An interesting method suggest creating an Admin Windows account to get access to the VSS database without knowing the password, reseting or hacking it. See here. You can get access and you can reset the passwords of other users, can add and delete users or perform other tasks that only the Admin can do. You will not be able though to reset the Admin password like this because you'll need to know the old one.
In fact this security consideration article on MSDN warns against the possibility of a hacker using this method.
There are even companies that claim to provide Visual SourceSafe password recovery services or recovery toolkit for a fee. See SourceSafe password recovery here and here. Some of these services have ridiculous prices (250$) and make claims I know they can't be true (see above why exact VSS passwords can't be recovered), but others are fairly cheap and seem honest (they will not provide the original password, but a password that will work).
And you can even find pre-built tools like ZapVssAdmin that will clear SourceSafe Admin password or change the guid of a VSS database. See the ZapVssAdmin attachment in this post, or download ZapVssAdmin from my site. At a first look, this tool doesn't seem to produce database corruption.
Recently I've also come upon other free tool that will do a dictionary attack on the VSS database. John Reid has an article about Sourcesafe password recovery made easy where he provides a VssPassord tool able to find password alternates using a dictionary attack or to reset a user's password by overwriting the password hash and the checksum in um.dat. If the tool is not able to find the password with teh dictionary provided you can create your won larger dictionary or you can reset the password and the tool doesn't seem to cause database corruption. You can download here John Reid's VssPassword.

Are SourceSafe password scheme and database rights a joke and Microsoft doesn't "get" security?

No. Microsoft does not see SourceSafe password scheme and the SourceSafe user rights as security measures. The VSS built-in mechanisms will only prevent for instance a user to delete a file by mistake, or to checkin by mistake newer versions of a file in parts of the tree that were locked down. They will not prevent a determined hacker to view or modify the database files. Microsoft recommends securing the SourceSafe database by using NTFS access lists and file share permissions, and restricting the database access only to those Windows users who really need access (see below).

Should I worry that someone could reset the SourceSafe Admin password?

No. Someone who wants to read the files stored in a VSS database doesn't have to know, reset or recover a password. If such user has access to the database share, he can simply view the content of all the files in the database by looking in the physical files like WRTBAAA.A and .B from the data subfolder. And he can easily reconstruct the file names or the paths of the files in the database by looking at the file logs like WRTBAAA. If a user has rights access to the database share, he doesn't have to use SourceSafe Explorer to delete some files in the database, cause damage and alter the log files to cover his tracks. He can simply delete directly the physical files in the database's folder...

So, how do I secure my SourceSafe database?

I hope by now I convinced you VSS passwords should not be used to enforce database security. The only way to secure your VSS database is to use Windows integrated security to restrict access to the VSS folders so that only authorized Windows users can access the database. The security of your VSS database is determined by the security of the folder that contains it. To implement the security described here for your VSS database, the database must be installed on an NT file system (NTFS) because, on NTFS, you can grant permissions for individual files and folders, in additions to the security permissions that you can apply to the database share.

You should read and follow the recommendations in next MSDN articles:

While savvy VSS users have their own additional set of SourceSafe password guidelines, I'd recommend forgetting about VSS password altogether.
Just setup the NTFS and database share permissions correctly, such that only users who need access to the database files will have it, then enable Automatic Logon using Network Names. I don't see any reason not to do this (any user who has write acces to the database share can manually modify the ini files and enable it back, so why would you disable it in the first place?). VSS users won't even need to know their passwords to access the database files (so you can assign random VSS passwords if you like, or leave them empty). Since it's so easy to get access into the VSS database using andy account you like, why bother setting passwords in the first place?

Does SourceSafe support Integrated Windows authentication?

No, but it doesn't need to. If you setup the database share and NTFS permissions correctly, you can forget about VSS passwords (see above why). Then all you have to do is add into the database VSS users names matching Windows account and set them with empty passwords. Only the users authenticated by Windows and granted access to the share will have access to the VSS database. And you can enable Automatic Logon using Network Names for the database so those users won't be bothered with SourceSafe logon promps. There you have your integrated Windows authentication for SourceSafe databases!

I forgot the password for SourceSafe Admin account, how do I reset or recover it?

Unfortunately, users often forget their VSS passwords. Or it may simply happen that the guy managing the VSS database leaved the company and he was the only one knowing the Admin account password. Microsoft Product Support has heared too many times questions like "How to recover that lost VSS admin password?", "How to reset the Admin password?" or "I've forgot the SourceSafe Admin password, how do I get access to my data?"...
Well, if this is the only issue that brought to this page, you should know by now that Microsoft product support can't and won't help you recover or reset the VSS Admin password. It's against Microsoft policy about lost or forgotten passwords, for obvious legal reasons.
But if you reached this page it also means that you used a search engine and searched the Internet for possible solutions. Indeed, there are a lot of users that were before in your situation, found a method to bypass VSS passwords and published their solutions; you can keep looking at other search hits, or for your convenience you can use the list of methods tried by another users that I've discussed above. Note that by using such methods of resetting the SourceSafe Admin password you may cause database corruption. Do it at your own risk!
And, while you're here, I hope you'll spend the time to read this whole page and educate yourself that SourceSafe passwords shouldn't be used by any mean as a security measure. I hope the page will help you learn the right way of securing your Visual SourceSafe database in the future!

(Back to SourceSafe and source control integration page)