Solved

Best practices for storing passwords in a SQL Server.

Posted on 2008-11-02
10
683 Views
Last Modified: 2012-06-27
I am looking for some advice and best practices for storing user passwords in a SQL server database.  I am developing an SSO application and need to store user names and passwords for users.  I have secured the server physically, and followed the recommendations for securing the SQL server, however, I need some advice on the best way in which to store passwords?  Should I encrypt the passwords before I store them in the database?  If so, what is a good standard?

Thank you for any advice.  
0
Comment
Question by:shanemay
  • 3
  • 3
  • 2
  • +2
10 Comments
 
LVL 142

Assisted Solution

by:Guy Hengel [angelIII / a3]
Guy Hengel [angelIII / a3] earned 80 total points
ID: 22863299
the best is to store hash values of the passwords. that way, they cannot be "decrypted" or so.
only the application hash function will be applied to the user input for the password, and the hashed values will be compared.

in sql server, you use VARBINARY for the data type of the hashed values.
0
 
LVL 7

Expert Comment

by:pr0t0c0l12
ID: 22863321
Here are some good tips on how to secure your information and best practices for storing passwords. They show you how to do it in a nice and clean way.  

Good luck.

http://www.asp.net/Learn/Security/tutorial-04-vb.aspx
0
 
LVL 7

Assisted Solution

by:pr0t0c0l12
pr0t0c0l12 earned 70 total points
ID: 22863328
Angel is right. You should encrypt them and the tutorial I mentioned shows you how to do that.  

Thanks,

http://www.asp.net/Learn/Security/tutorial-04-vb.aspx
0
 
LVL 75

Expert Comment

by:Anthony Perkins
ID: 22863897
Actually hashed passwords is not quite the same as encrypted the password:  With hashed passwords you never store the password and in general is a better approach.
0
 

Author Comment

by:shanemay
ID: 22863915
I have been reading up on hashing passwords and just comparing the hashed bytes and not comparing the passwords as text.  I understand the principle, however, I do not understand how a hashed password could not be decoded.    Thanks for everyone's advice and help.  
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 75

Expert Comment

by:Anthony Perkins
ID: 22863957
>>I understand the principle, however, I do not understand how a hashed password could not be decoded.<<
Simple. Since the password is not stored it cannot be decrypted.

Here is a very simple algorithm (not one I would recommend, but serves to illustrate my point):
Supposing that your algorithm is adding the ASCII values for each letter, so "Password" becomes 80 + 97 + 115 + 115 + 119 + 111 + 114 + 100 = 851
You then store 851 in your database.  As you can see it is virtually impossible to go back from 851 to "Password".  Somewhat akin to converting a hamburger back into a cow.
0
 

Author Comment

by:shanemay
ID: 22863992
Thank you for the explanation, I completely understand.  For my purposes I need to encrypt the password not use a hash.  It looks like my best option might be the .Net System.Security.Cryptography namespace and use the RSA encryption API.

Any thoughts.    
0
 
LVL 26

Accepted Solution

by:
Anurag Thakur earned 100 total points
ID: 22864943
you can have a look at the following implementation of password encryption with MD5
Using MD5 Encryption with C# and MSSQL 2000
http://www.codeproject.com/KB/database/md5sql2000.aspx
0
 

Author Closing Comment

by:shanemay
ID: 31512538
Thank you for the outstanding advice and help.  
0
 
LVL 75

Expert Comment

by:Anthony Perkins
ID: 22872979
>>For my purposes I need to encrypt the password not use a hash. <<
Which is not to say you cannot also encrypt the hashed password.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

This article is for Object-Oriented Programming (OOP) beginners. An Interface contains declarations of events, indexers, methods and/or properties. Any class which implements the Interface should provide the concrete implementation for each Inter…
A long time ago (May 2011), I have written an article showing you how to create a DLL using Visual Studio 2005 to be hosted in SQL Server 2005. That was valid at that time and it is still valid if you are still using these versions. You can still re…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now