In Microsoft SQL Server, where are SQL Server login names and password hashes stored inside the database system?

Introduction / Context:
Security and authentication are fundamental aspects of database administration. In Microsoft SQL Server, server level logins are stored and managed by the database engine itself. Interview questions about where usernames and password hashes are stored test whether you understand the system catalog and the separation between server level security information and user data stored in application tables.

Given Data / Assumptions:
• The database platform is Microsoft SQL Server. • We are talking about SQL Server logins, not necessarily Windows domain accounts. • The question focuses on the internal storage location of login names and password hashes. • No numeric computation is required; this is a conceptual security and catalog question.

Concept / Approach:
SQL Server stores server level logins and associated security metadata in system catalog views that reside logically in the master database. Views such as sys.server_principals and sys.sql_logins expose information about login names, types, and password hashes. While Windows integrated logins rely on Active Directory for authentication, SQL logins themselves are stored and managed inside SQL Server. The data is hashed and not stored in plain text. Application tables should not be used to store SQL Server login passwords. A correct answer must mention the system catalog of the master database and the appropriate system views.

Step-by-Step Solution:
Step 1: Recall that server level configuration and metadata are stored in system databases, especially master. Step 2: Recognize that SQL Server provides catalog views for inspecting logins, such as sys.server_principals. Step 3: Remember that for SQL logins, password information is stored as hashes accessible via sys.sql_logins. Step 4: Understand that application tables containing business data are separate and should not store SQL Server login credentials. Step 5: Choose the option that explicitly refers to the master database system catalog and these catalog views.

Verification / Alternative check:
If you connect as an administrator and query SELECT name FROM sys.server_principals, you will see a list of logins defined at the server level. Another query against sys.sql_logins reveals information about SQL logins, including password hash data, but not the clear text passwords. These catalog views are documented as being logically in the master database. There is no requirement to store usernames and passwords in user tables, and passwords are not written to the error log. This confirms that option a correctly describes the storage location for SQL Server logins and password hashes.

Why Other Options Are Wrong:
Option b claims that usernames and passwords are stored in user tables along with business data, which would be insecure and is not how SQL Server logins are implemented. Option c suggests that usernames and passwords are never stored in SQL Server, which ignores SQL logins that are fully managed by the database engine. Option d splits usernames and passwords between msdb and tempdb, which is incorrect and not documented behavior. Option e falsely states that passwords are written in plain text into the SQL Server error log, which would be a serious security flaw and is not true.

Common Pitfalls:
A common pitfall is assuming that storing application user credentials in normal tables is equivalent to SQL Server logins. While applications may maintain their own authentication systems, SQL logins are specifically for server level access and are stored in the system catalog. Another mistake is confusing Windows integrated authentication, where credentials live in Active Directory, with SQL authentication, where hashes are kept inside SQL Server. Administrators should be careful not to expose sys.sql_logins to unauthorized users because, even though it contains hashes rather than clear text passwords, it is still sensitive security metadata.

Final Answer:
The correct choice is SQL Server logins and password hashes are stored in the system catalog of the master database, in views such as sys.server_principals and sys.sql_logins., because it correctly identifies the location and structure through which SQL Server manages login credentials internally.