Home » SQL & PL/SQL » SQL & PL/SQL » how to encrypt and store the password?
icon2.gif  how to encrypt and store the password? [message #183699] Sat, 22 July 2006 04:32 Go to next message
amul
Messages: 252
Registered: April 2001
Location: Chennai
Senior Member
is it possible to encrypt and store the passwords?when we store it in database its just stored as a string which is viewable by the admin.i want to encrypt the pass word so no one can see it.is it possible?
Re: how to encrypt and store the password? [message #183701 is a reply to message #183699] Sat, 22 July 2006 05:18 Go to previous messageGo to next message
rajavu1
Messages: 1574
Registered: May 2005
Location: Bangalore , India
Senior Member

Hi ,

you can develope user defind functions or Built-in functions
in dbms_obfuscation_toolkit provided by Oracle.
(DESDecrypt and DESenrypt function)

search for its documentation ...

Thumbs Up
Rajuvan.
Re: how to encrypt and store the password? [message #183718 is a reply to message #183701] Sat, 22 July 2006 11:30 Go to previous messageGo to next message
Maaher
Messages: 7065
Registered: December 2001
Senior Member
Just to add. As of 10g, there is the dbms_crypto package to encrypt/decrypt data. Are you sure that the search button here is just for fun? It has a purpose. Try it.

MHE
Re: how to encrypt and store the password? [message #183781 is a reply to message #183699] Sun, 23 July 2006 15:34 Go to previous messageGo to next message
JRowbottom
Messages: 5933
Registered: June 2006
Location: Sunny North Yorkshire, ho...
Senior Member
I would be very suprised if you actually wanted to encrypt the password.
Encryption is reversible, and requires the secure storage of an encryption key.

What you are probably looking for is a HASH algorithm. This is an irreversible algorithm that produces a unique result from the password. Whe someone enters a password and you wish to check that it is correct, you simply apply the same hash routine to the entered text, and check that the outcome matches the stored hash of the password.

This is (in a simplified form) what Oracle does to store users passwords in the database.
Re: how to encrypt and store the password? [message #183793 is a reply to message #183781] Sun, 23 July 2006 21:49 Go to previous messageGo to next message
ehegagoka
Messages: 493
Registered: July 2005
Senior Member
hi!
sir JRowbottom, your saying that we should use a hash algorithm or a package that produces hash value? using a string and then the result is already the password? or i didnt get it right =)
Re: how to encrypt and store the password? [message #183831 is a reply to message #183793] Mon, 24 July 2006 01:49 Go to previous messageGo to next message
Maaher
Messages: 7065
Registered: December 2001
Senior Member
You know what? Oracle has provided several functions for hashing already. One is the DBMS_CRYPTO.HASH function but the easiest is perhaps DBMS_UTILITY.GET_HASH_VALUE. You pass the usernanme + the password (combine them as the source string), a base and the hash length.

MHE

[Updated on: Mon, 24 July 2006 01:50]

Report message to a moderator

Re: how to encrypt and store the password? [message #183834 is a reply to message #183793] Mon, 24 July 2006 01:59 Go to previous messageGo to next message
JRowbottom
Messages: 5933
Registered: June 2006
Location: Sunny North Yorkshire, ho...
Senior Member
When a password is created, you take the hash value of the password and store that. If your hash algorithm is good enough, then it should be practically impossible to recover the password from the hash (Oracle, I believe , generates a hash of the ombined username and password to avoid situations where two passwords would generate the same hash).

When someone wants to use that password, you generate a hash of whatever they type in, and compare it with the stored hash.
If the two values are the same, then they entered the same password.

Re: how to encrypt and store the password? [message #183892 is a reply to message #183834] Mon, 24 July 2006 04:55 Go to previous messageGo to next message
ehegagoka
Messages: 493
Registered: July 2005
Senior Member
hi!
thank you so much sir, get_hash_value works fine for validating passwords =)


SQL> create table hashp (username varchar2(5), passwd number)
  2  /

Table created

SQL> declare
  2    uname varchar2(5) := 'rhani';
  3    pwd   varchar2(5) := 'passw';
  4  begin
  5    dbms_output.put_line('inserting password..');
  6    insert into hashp values(uname, dbms_utility.get_hash_value(uname || pwd, 10000,10240));
  7    commit;
  8  end;
  9  /

inserting password..

PL/SQL procedure successfully completed

SQL> declare
  2    uname varchar2(5) := 'rhani';
  3    pwd varchar2(5) := 'passx';
  4    vhash number;
  5  begin
  6    select passwd
  7    into vhash
  8    from hashp
  9    where username = 'rhani';
 10    if vhash = dbms_utility.get_hash_value(uname || pwd, 10000,10240) then
 11       dbms_output.put_line('valid password');
 12    else
 13       dbms_output.put_line('invalid password');
 14    end if;
 15  end;
 16  /

invalid password

PL/SQL procedure successfully completed


Re: how to encrypt and store the password? [message #183894 is a reply to message #183892] Mon, 24 July 2006 04:59 Go to previous messageGo to next message
JRowbottom
Messages: 5933
Registered: June 2006
Location: Sunny North Yorkshire, ho...
Senior Member
I prefer the DBMS_OBFUSCATION_TOOLKIT.MD5 - partly because I get to use the word Obfuscation, and partly because it generates a more secure hash (or so I'm told).
icon2.gif  Re: how to encrypt and store the password? [message #183895 is a reply to message #183892] Mon, 24 July 2006 05:08 Go to previous messageGo to next message
amul
Messages: 252
Registered: April 2001
Location: Chennai
Senior Member
Hai,
Actually I want to encrypt my forms user password using dbms_crypto package and I have to store it into the table.whenever the user enters into the login screen it has to check the stored encrypted the password, i.e password has to be decrypted and checked with users current entering password in the forms login screen users password.

Whenever i run the dbma_crypto package in sys scehma it is allowing me to execute.I wanted to give execute privilege on this script to scott.Is it advisable to grant this package to scott user?
Re: how to encrypt and store the password? [message #183900 is a reply to message #183895] Mon, 24 July 2006 05:23 Go to previous message
JRowbottom
Messages: 5933
Registered: June 2006
Location: Sunny North Yorkshire, ho...
Senior Member
Don't run things as SYS.
If you're not doing DBA type things, then don't log in as SYS or SYSTEM at all.
In fact, as a rule of thumb, if the thing that you're doing can be done from any other schema, then that's where it should be done from.

Just don't do it.

If code in the Scott schema needs to acces DBMS_CRYPTO, then grant the access.
Previous Topic: how can create dynamic partitioned table
Next Topic: How I avoid the duplicate record and show only one record for every etudend from query
Goto Forum:
  


Current Time: Thu Dec 05 08:03:48 CST 2024