Can We Please Stop Sending Passwords Over the Wire?

While analyzing SQL Server’s network protocol, I came across a weird fact: when a database client logs in using SQL Server authentication (as opposed to Windows authentication), it has to send the user’s password to the server, in blatant violation of common security guidelines. At first, I couldn’t believe it; SQL Server generally does an excellent job with security, and this seemed completely out of character — but there it was.

I am certainly not the first person to discover this. In fact, Microsoft has a warning of sorts in its documentation:

Disadvantages of SQL Server Authentication

The encrypted SQL