?
Solved

How to store passwords

Posted on 2005-04-18
8
Medium Priority
?
335 Views
Last Modified: 2008-01-09
I need a secure solution for storing passwords. If the database was ever hacked, I would prefer the passwords are not stored in a readable format. How do I do this?
0
Comment
Question by:paulfryer
  • 4
  • 3
8 Comments
 
LVL 43

Expert Comment

by:Eugene Z
ID: 13811724
use 3rd party encypt\decrypt software:

XP_CRYPT with SQL Shield
http://www.activecrypt.com/

NetLib Encryptionizer for SQL Server
http://www.netlib.com/sql-server-encryption.shtml
0
 
LVL 75

Expert Comment

by:Anthony Perkins
ID: 13812689
Don't store them. Instead use a one way hash, in much the same way it is done in SQL server.  For added security use a salt string to make them even more secure.
0
 
LVL 1

Author Comment

by:paulfryer
ID: 13820996
acperkins,

I am a little unfamilliar with "one way hash" and "salt string" could you please explain further, perhpas provide some TSQL examples?
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 75

Accepted Solution

by:
Anthony Perkins earned 2000 total points
ID: 13824332
In the simplest of terms, supposing I took a password and added the ASCII values and then saved the result.  You could then enter the password again and do the same algorithm and compare to that saved value.  The password itself or even an encrypted version of it is never saved anywhere.  One problem with this approach is that the same password saved at different times will have the same hash value. In order to improve securtiy, I can add a value to it, for example the number of seconds since midnight.  This is called a salt value.

Take a look at the T-SQL undocumented functions: pwdencrypt and pwdcompare
Undocumented Encrypt and Decrypt Functions in SQL Server 7.0
http://www.devx.com/tips/Tip/14407

Caveats:  
1. These are undocumented functions and are subject to change (but we are all adults here)
2. They are apparently fairly easy to crack, but should give you a good idea as to how a one way hash system works.
0
 
LVL 43

Expert Comment

by:Eugene Z
ID: 13846963
Just keep in mind:

it is well known the native sql encryption not so strong as
for example:

XP_CRYPT with SQL Shield
http://www.activecrypt.com/

=================
Links removed and saved
Wes Lennon - DoCS
=================
0
 
LVL 75

Expert Comment

by:Anthony Perkins
ID: 13847019
EugeneZ,

>>it is well known the native sql encryption not so strong as ...<<
Do yourself a favor and read my comments.  If you are having difficulty with that concept here they are again:

<quote>

Caveats:  
1. These are undocumented functions and are subject to change (but we are all adults here)
2. They are apparently fairly easy to crack, but should give you a good idea as to how a one way hash system works.

</quote>

To make it simple for you I will highlight the key part: "should give you a good idea as to how a one way hash system works".  Also you may have overlooked the part that reads "we are all adults here", as you did not feel it applied.

And finally and for the record SQL Server does not encrypt passwords it hashes them, it is a totally different concept.  I recommend you read up on it.

paulfryer,

I forgot to mention, that for security reasons, many corporations no longer permit storing passwords. even encrypted ones.  Hashing the password and storing the hashed values is a good alternative in this situation.
0
 
LVL 43

Expert Comment

by:Eugene Z
ID: 13847296
acperkins:

the comment was for paulfryer


0
 
LVL 43

Expert Comment

by:Eugene Z
ID: 13847366
acperkins:
BTW: question was:  
>...If the database was ever hacked...

Thus according your comments:
pwdencrypt and pwdcompare are not  answer
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Why is this different from all of the other step by step guides?  Because I make a living as a DBA and not as a writer and I lived through this experience. Defining the name: When I talk to people they say different names on this subject stuff l…
It is possible to export the data of a SQL Table in SSMS and generate INSERT statements. It's neatly tucked away in the generate scripts option of a database.
Via a live example, show how to shrink a transaction log file down to a reasonable size.
Viewers will learn how to use the INSERT statement to insert data into their tables. It will also introduce the NULL statement, to show them what happens when no value is giving for any given column.
Suggested Courses

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question