paulfryer
asked on
How to store passwords
I need a secure solution for storing passwords. If the database was ever hacked, I would prefer the passwords are not stored in a readable format. How do I do this?
Don't store them. Instead use a one way hash, in much the same way it is done in SQL server. For added security use a salt string to make them even more secure.
ASKER
acperkins,
I am a little unfamilliar with "one way hash" and "salt string" could you please explain further, perhpas provide some TSQL examples?
I am a little unfamilliar with "one way hash" and "salt string" could you please explain further, perhpas provide some TSQL examples?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Just keep in mind:
it is well known the native sql encryption not so strong as
for example:
XP_CRYPT with SQL Shield
http://www.activecrypt.com/
=================
Links removed and saved
Wes Lennon - DoCS
=================
it is well known the native sql encryption not so strong as
for example:
XP_CRYPT with SQL Shield
http://www.activecrypt.com/
=================
Links removed and saved
Wes Lennon - DoCS
=================
EugeneZ,
>>it is well known the native sql encryption not so strong as ...<<
Do yourself a favor and read my comments. If you are having difficulty with that concept here they are again:
<quote>
Caveats:
1. These are undocumented functions and are subject to change (but we are all adults here)
2. They are apparently fairly easy to crack, but should give you a good idea as to how a one way hash system works.
</quote>
To make it simple for you I will highlight the key part: "should give you a good idea as to how a one way hash system works". Also you may have overlooked the part that reads "we are all adults here", as you did not feel it applied.
And finally and for the record SQL Server does not encrypt passwords it hashes them, it is a totally different concept. I recommend you read up on it.
paulfryer,
I forgot to mention, that for security reasons, many corporations no longer permit storing passwords. even encrypted ones. Hashing the password and storing the hashed values is a good alternative in this situation.
>>it is well known the native sql encryption not so strong as ...<<
Do yourself a favor and read my comments. If you are having difficulty with that concept here they are again:
<quote>
Caveats:
1. These are undocumented functions and are subject to change (but we are all adults here)
2. They are apparently fairly easy to crack, but should give you a good idea as to how a one way hash system works.
</quote>
To make it simple for you I will highlight the key part: "should give you a good idea as to how a one way hash system works". Also you may have overlooked the part that reads "we are all adults here", as you did not feel it applied.
And finally and for the record SQL Server does not encrypt passwords it hashes them, it is a totally different concept. I recommend you read up on it.
paulfryer,
I forgot to mention, that for security reasons, many corporations no longer permit storing passwords. even encrypted ones. Hashing the password and storing the hashed values is a good alternative in this situation.
acperkins:
the comment was for paulfryer
the comment was for paulfryer
acperkins:
BTW: question was:
>...If the database was ever hacked...
Thus according your comments:
pwdencrypt and pwdcompare are not answer
BTW: question was:
>...If the database was ever hacked...
Thus according your comments:
pwdencrypt and pwdcompare are not answer
XP_CRYPT with SQL Shield
http://www.activecrypt.com/
NetLib Encryptionizer for SQL Server
http://www.netlib.com/sql-server-encryption.shtml