?
Solved

Best practices for storing passwords in a SQL Server.

Posted on 2008-11-02
10
Medium Priority
?
703 Views
Last Modified: 2012-06-27
I am looking for some advice and best practices for storing user passwords in a SQL server database.  I am developing an SSO application and need to store user names and passwords for users.  I have secured the server physically, and followed the recommendations for securing the SQL server, however, I need some advice on the best way in which to store passwords?  Should I encrypt the passwords before I store them in the database?  If so, what is a good standard?

Thank you for any advice.  
0
Comment
Question by:shanemay
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +2
10 Comments
 
LVL 143

Assisted Solution

by:Guy Hengel [angelIII / a3]
Guy Hengel [angelIII / a3] earned 320 total points
ID: 22863299
the best is to store hash values of the passwords. that way, they cannot be "decrypted" or so.
only the application hash function will be applied to the user input for the password, and the hashed values will be compared.

in sql server, you use VARBINARY for the data type of the hashed values.
0
 
LVL 7

Expert Comment

by:pr0t0c0l12
ID: 22863321
Here are some good tips on how to secure your information and best practices for storing passwords. They show you how to do it in a nice and clean way.  

Good luck.

http://www.asp.net/Learn/Security/tutorial-04-vb.aspx
0
 
LVL 7

Assisted Solution

by:pr0t0c0l12
pr0t0c0l12 earned 280 total points
ID: 22863328
Angel is right. You should encrypt them and the tutorial I mentioned shows you how to do that.  

Thanks,

http://www.asp.net/Learn/Security/tutorial-04-vb.aspx
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 75

Expert Comment

by:Anthony Perkins
ID: 22863897
Actually hashed passwords is not quite the same as encrypted the password:  With hashed passwords you never store the password and in general is a better approach.
0
 

Author Comment

by:shanemay
ID: 22863915
I have been reading up on hashing passwords and just comparing the hashed bytes and not comparing the passwords as text.  I understand the principle, however, I do not understand how a hashed password could not be decoded.    Thanks for everyone's advice and help.  
0
 
LVL 75

Expert Comment

by:Anthony Perkins
ID: 22863957
>>I understand the principle, however, I do not understand how a hashed password could not be decoded.<<
Simple. Since the password is not stored it cannot be decrypted.

Here is a very simple algorithm (not one I would recommend, but serves to illustrate my point):
Supposing that your algorithm is adding the ASCII values for each letter, so "Password" becomes 80 + 97 + 115 + 115 + 119 + 111 + 114 + 100 = 851
You then store 851 in your database.  As you can see it is virtually impossible to go back from 851 to "Password".  Somewhat akin to converting a hamburger back into a cow.
0
 

Author Comment

by:shanemay
ID: 22863992
Thank you for the explanation, I completely understand.  For my purposes I need to encrypt the password not use a hash.  It looks like my best option might be the .Net System.Security.Cryptography namespace and use the RSA encryption API.

Any thoughts.    
0
 
LVL 26

Accepted Solution

by:
Anurag Thakur earned 400 total points
ID: 22864943
you can have a look at the following implementation of password encryption with MD5
Using MD5 Encryption with C# and MSSQL 2000
http://www.codeproject.com/KB/database/md5sql2000.aspx
0
 

Author Closing Comment

by:shanemay
ID: 31512538
Thank you for the outstanding advice and help.  
0
 
LVL 75

Expert Comment

by:Anthony Perkins
ID: 22872979
>>For my purposes I need to encrypt the password not use a hash. <<
Which is not to say you cannot also encrypt the hashed password.
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A long time ago (May 2011), I have written an article showing you how to create a DLL using Visual Studio 2005 to be hosted in SQL Server 2005. That was valid at that time and it is still valid if you are still using these versions. You can still re…
In this article I will describe the Backup & Restore method as one possible migration process and I will add the extra tasks needed for an upgrade when and where is applied so it will cover all.
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question