Solved

Best practices for storing passwords in a SQL Server.

Posted on 2008-11-02
10
690 Views
Last Modified: 2012-06-27
I am looking for some advice and best practices for storing user passwords in a SQL server database.  I am developing an SSO application and need to store user names and passwords for users.  I have secured the server physically, and followed the recommendations for securing the SQL server, however, I need some advice on the best way in which to store passwords?  Should I encrypt the passwords before I store them in the database?  If so, what is a good standard?

Thank you for any advice.  
0
Comment
Question by:shanemay
  • 3
  • 3
  • 2
  • +2
10 Comments
 
LVL 142

Assisted Solution

by:Guy Hengel [angelIII / a3]
Guy Hengel [angelIII / a3] earned 80 total points
ID: 22863299
the best is to store hash values of the passwords. that way, they cannot be "decrypted" or so.
only the application hash function will be applied to the user input for the password, and the hashed values will be compared.

in sql server, you use VARBINARY for the data type of the hashed values.
0
 
LVL 7

Expert Comment

by:pr0t0c0l12
ID: 22863321
Here are some good tips on how to secure your information and best practices for storing passwords. They show you how to do it in a nice and clean way.  

Good luck.

http://www.asp.net/Learn/Security/tutorial-04-vb.aspx
0
 
LVL 7

Assisted Solution

by:pr0t0c0l12
pr0t0c0l12 earned 70 total points
ID: 22863328
Angel is right. You should encrypt them and the tutorial I mentioned shows you how to do that.  

Thanks,

http://www.asp.net/Learn/Security/tutorial-04-vb.aspx
0
Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

 
LVL 75

Expert Comment

by:Anthony Perkins
ID: 22863897
Actually hashed passwords is not quite the same as encrypted the password:  With hashed passwords you never store the password and in general is a better approach.
0
 

Author Comment

by:shanemay
ID: 22863915
I have been reading up on hashing passwords and just comparing the hashed bytes and not comparing the passwords as text.  I understand the principle, however, I do not understand how a hashed password could not be decoded.    Thanks for everyone's advice and help.  
0
 
LVL 75

Expert Comment

by:Anthony Perkins
ID: 22863957
>>I understand the principle, however, I do not understand how a hashed password could not be decoded.<<
Simple. Since the password is not stored it cannot be decrypted.

Here is a very simple algorithm (not one I would recommend, but serves to illustrate my point):
Supposing that your algorithm is adding the ASCII values for each letter, so "Password" becomes 80 + 97 + 115 + 115 + 119 + 111 + 114 + 100 = 851
You then store 851 in your database.  As you can see it is virtually impossible to go back from 851 to "Password".  Somewhat akin to converting a hamburger back into a cow.
0
 

Author Comment

by:shanemay
ID: 22863992
Thank you for the explanation, I completely understand.  For my purposes I need to encrypt the password not use a hash.  It looks like my best option might be the .Net System.Security.Cryptography namespace and use the RSA encryption API.

Any thoughts.    
0
 
LVL 26

Accepted Solution

by:
Anurag Thakur earned 100 total points
ID: 22864943
you can have a look at the following implementation of password encryption with MD5
Using MD5 Encryption with C# and MSSQL 2000
http://www.codeproject.com/KB/database/md5sql2000.aspx
0
 

Author Closing Comment

by:shanemay
ID: 31512538
Thank you for the outstanding advice and help.  
0
 
LVL 75

Expert Comment

by:Anthony Perkins
ID: 22872979
>>For my purposes I need to encrypt the password not use a hash. <<
Which is not to say you cannot also encrypt the hashed password.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Graphics 2 30
RLDC Reporting in Visual studio 11 16
Can't disable touch pad on Windows 10 computer 16 33
c# - Best approach for objects in functions 3 17
A long time ago (May 2011), I have written an article showing you how to create a DLL using Visual Studio 2005 to be hosted in SQL Server 2005. That was valid at that time and it is still valid if you are still using these versions. You can still re…
In this article I will describe the Backup & Restore method as one possible migration process and I will add the extra tasks needed for an upgrade when and where is applied so it will cover all.
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question