Solved

Best practices for storing passwords in a SQL Server.

Posted on 2008-11-02
10
692 Views
Last Modified: 2012-06-27
I am looking for some advice and best practices for storing user passwords in a SQL server database.  I am developing an SSO application and need to store user names and passwords for users.  I have secured the server physically, and followed the recommendations for securing the SQL server, however, I need some advice on the best way in which to store passwords?  Should I encrypt the passwords before I store them in the database?  If so, what is a good standard?

Thank you for any advice.  
0
Comment
Question by:shanemay
  • 3
  • 3
  • 2
  • +2
10 Comments
 
LVL 143

Assisted Solution

by:Guy Hengel [angelIII / a3]
Guy Hengel [angelIII / a3] earned 80 total points
ID: 22863299
the best is to store hash values of the passwords. that way, they cannot be "decrypted" or so.
only the application hash function will be applied to the user input for the password, and the hashed values will be compared.

in sql server, you use VARBINARY for the data type of the hashed values.
0
 
LVL 7

Expert Comment

by:pr0t0c0l12
ID: 22863321
Here are some good tips on how to secure your information and best practices for storing passwords. They show you how to do it in a nice and clean way.  

Good luck.

http://www.asp.net/Learn/Security/tutorial-04-vb.aspx
0
 
LVL 7

Assisted Solution

by:pr0t0c0l12
pr0t0c0l12 earned 70 total points
ID: 22863328
Angel is right. You should encrypt them and the tutorial I mentioned shows you how to do that.  

Thanks,

http://www.asp.net/Learn/Security/tutorial-04-vb.aspx
0
MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

 
LVL 75

Expert Comment

by:Anthony Perkins
ID: 22863897
Actually hashed passwords is not quite the same as encrypted the password:  With hashed passwords you never store the password and in general is a better approach.
0
 

Author Comment

by:shanemay
ID: 22863915
I have been reading up on hashing passwords and just comparing the hashed bytes and not comparing the passwords as text.  I understand the principle, however, I do not understand how a hashed password could not be decoded.    Thanks for everyone's advice and help.  
0
 
LVL 75

Expert Comment

by:Anthony Perkins
ID: 22863957
>>I understand the principle, however, I do not understand how a hashed password could not be decoded.<<
Simple. Since the password is not stored it cannot be decrypted.

Here is a very simple algorithm (not one I would recommend, but serves to illustrate my point):
Supposing that your algorithm is adding the ASCII values for each letter, so "Password" becomes 80 + 97 + 115 + 115 + 119 + 111 + 114 + 100 = 851
You then store 851 in your database.  As you can see it is virtually impossible to go back from 851 to "Password".  Somewhat akin to converting a hamburger back into a cow.
0
 

Author Comment

by:shanemay
ID: 22863992
Thank you for the explanation, I completely understand.  For my purposes I need to encrypt the password not use a hash.  It looks like my best option might be the .Net System.Security.Cryptography namespace and use the RSA encryption API.

Any thoughts.    
0
 
LVL 26

Accepted Solution

by:
Anurag Thakur earned 100 total points
ID: 22864943
you can have a look at the following implementation of password encryption with MD5
Using MD5 Encryption with C# and MSSQL 2000
http://www.codeproject.com/KB/database/md5sql2000.aspx
0
 

Author Closing Comment

by:shanemay
ID: 31512538
Thank you for the outstanding advice and help.  
0
 
LVL 75

Expert Comment

by:Anthony Perkins
ID: 22872979
>>For my purposes I need to encrypt the password not use a hash. <<
Which is not to say you cannot also encrypt the hashed password.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

A long time ago (May 2011), I have written an article showing you how to create a DLL using Visual Studio 2005 to be hosted in SQL Server 2005. That was valid at that time and it is still valid if you are still using these versions. You can still re…
Use this article to create a batch file to backup a Microsoft SQL Server database to a Windows folder.  The folder can be on the local hard drive or on a network share.  This batch file will query the SQL server to get the current date & time and wi…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question