Solved

Best practices for storing passwords in a SQL Server.

Posted on 2008-11-02
10
686 Views
Last Modified: 2012-06-27
I am looking for some advice and best practices for storing user passwords in a SQL server database.  I am developing an SSO application and need to store user names and passwords for users.  I have secured the server physically, and followed the recommendations for securing the SQL server, however, I need some advice on the best way in which to store passwords?  Should I encrypt the passwords before I store them in the database?  If so, what is a good standard?

Thank you for any advice.  
0
Comment
Question by:shanemay
  • 3
  • 3
  • 2
  • +2
10 Comments
 
LVL 142

Assisted Solution

by:Guy Hengel [angelIII / a3]
Guy Hengel [angelIII / a3] earned 80 total points
ID: 22863299
the best is to store hash values of the passwords. that way, they cannot be "decrypted" or so.
only the application hash function will be applied to the user input for the password, and the hashed values will be compared.

in sql server, you use VARBINARY for the data type of the hashed values.
0
 
LVL 7

Expert Comment

by:pr0t0c0l12
ID: 22863321
Here are some good tips on how to secure your information and best practices for storing passwords. They show you how to do it in a nice and clean way.  

Good luck.

http://www.asp.net/Learn/Security/tutorial-04-vb.aspx
0
 
LVL 7

Assisted Solution

by:pr0t0c0l12
pr0t0c0l12 earned 70 total points
ID: 22863328
Angel is right. You should encrypt them and the tutorial I mentioned shows you how to do that.  

Thanks,

http://www.asp.net/Learn/Security/tutorial-04-vb.aspx
0
 
LVL 75

Expert Comment

by:Anthony Perkins
ID: 22863897
Actually hashed passwords is not quite the same as encrypted the password:  With hashed passwords you never store the password and in general is a better approach.
0
 

Author Comment

by:shanemay
ID: 22863915
I have been reading up on hashing passwords and just comparing the hashed bytes and not comparing the passwords as text.  I understand the principle, however, I do not understand how a hashed password could not be decoded.    Thanks for everyone's advice and help.  
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 75

Expert Comment

by:Anthony Perkins
ID: 22863957
>>I understand the principle, however, I do not understand how a hashed password could not be decoded.<<
Simple. Since the password is not stored it cannot be decrypted.

Here is a very simple algorithm (not one I would recommend, but serves to illustrate my point):
Supposing that your algorithm is adding the ASCII values for each letter, so "Password" becomes 80 + 97 + 115 + 115 + 119 + 111 + 114 + 100 = 851
You then store 851 in your database.  As you can see it is virtually impossible to go back from 851 to "Password".  Somewhat akin to converting a hamburger back into a cow.
0
 

Author Comment

by:shanemay
ID: 22863992
Thank you for the explanation, I completely understand.  For my purposes I need to encrypt the password not use a hash.  It looks like my best option might be the .Net System.Security.Cryptography namespace and use the RSA encryption API.

Any thoughts.    
0
 
LVL 26

Accepted Solution

by:
Anurag Thakur earned 100 total points
ID: 22864943
you can have a look at the following implementation of password encryption with MD5
Using MD5 Encryption with C# and MSSQL 2000
http://www.codeproject.com/KB/database/md5sql2000.aspx
0
 

Author Closing Comment

by:shanemay
ID: 31512538
Thank you for the outstanding advice and help.  
0
 
LVL 75

Expert Comment

by:Anthony Perkins
ID: 22872979
>>For my purposes I need to encrypt the password not use a hash. <<
Which is not to say you cannot also encrypt the hashed password.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Mark Wills Attending one of Rob Farley's seminars the other day, I heard the phrase "The Accidental DBA" and fell in love with it. It got me thinking about the plight of the newcomer to SQL Server...  So if you are the accidental DBA, or, simp…
Data architecture is an important aspect in Software as a Service (SaaS) delivery model. This article is a study on the database of a single-tenant application that could be extended to support multiple tenants. The application is web-based develope…
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now