how to encrypt and store the password? [message #183699] |
Sat, 22 July 2006 04:32 |
amul
Messages: 252 Registered: April 2001 Location: Chennai
|
Senior Member |
|
|
is it possible to encrypt and store the passwords?when we store it in database its just stored as a string which is viewable by the admin.i want to encrypt the pass word so no one can see it.is it possible?
|
|
|
|
|
Re: how to encrypt and store the password? [message #183781 is a reply to message #183699] |
Sun, 23 July 2006 15:34 |
JRowbottom
Messages: 5933 Registered: June 2006 Location: Sunny North Yorkshire, ho...
|
Senior Member |
|
|
I would be very suprised if you actually wanted to encrypt the password.
Encryption is reversible, and requires the secure storage of an encryption key.
What you are probably looking for is a HASH algorithm. This is an irreversible algorithm that produces a unique result from the password. Whe someone enters a password and you wish to check that it is correct, you simply apply the same hash routine to the entered text, and check that the outcome matches the stored hash of the password.
This is (in a simplified form) what Oracle does to store users passwords in the database.
|
|
|
|
|
Re: how to encrypt and store the password? [message #183834 is a reply to message #183793] |
Mon, 24 July 2006 01:59 |
JRowbottom
Messages: 5933 Registered: June 2006 Location: Sunny North Yorkshire, ho...
|
Senior Member |
|
|
When a password is created, you take the hash value of the password and store that. If your hash algorithm is good enough, then it should be practically impossible to recover the password from the hash (Oracle, I believe , generates a hash of the ombined username and password to avoid situations where two passwords would generate the same hash).
When someone wants to use that password, you generate a hash of whatever they type in, and compare it with the stored hash.
If the two values are the same, then they entered the same password.
|
|
|
Re: how to encrypt and store the password? [message #183892 is a reply to message #183834] |
Mon, 24 July 2006 04:55 |
ehegagoka
Messages: 493 Registered: July 2005
|
Senior Member |
|
|
hi!
thank you so much sir, get_hash_value works fine for validating passwords =)
SQL> create table hashp (username varchar2(5), passwd number)
2 /
Table created
SQL> declare
2 uname varchar2(5) := 'rhani';
3 pwd varchar2(5) := 'passw';
4 begin
5 dbms_output.put_line('inserting password..');
6 insert into hashp values(uname, dbms_utility.get_hash_value(uname || pwd, 10000,10240));
7 commit;
8 end;
9 /
inserting password..
PL/SQL procedure successfully completed
SQL> declare
2 uname varchar2(5) := 'rhani';
3 pwd varchar2(5) := 'passx';
4 vhash number;
5 begin
6 select passwd
7 into vhash
8 from hashp
9 where username = 'rhani';
10 if vhash = dbms_utility.get_hash_value(uname || pwd, 10000,10240) then
11 dbms_output.put_line('valid password');
12 else
13 dbms_output.put_line('invalid password');
14 end if;
15 end;
16 /
invalid password
PL/SQL procedure successfully completed
|
|
|
|
|
Re: how to encrypt and store the password? [message #183900 is a reply to message #183895] |
Mon, 24 July 2006 05:23 |
JRowbottom
Messages: 5933 Registered: June 2006 Location: Sunny North Yorkshire, ho...
|
Senior Member |
|
|
Don't run things as SYS.
If you're not doing DBA type things, then don't log in as SYS or SYSTEM at all.
In fact, as a rule of thumb, if the thing that you're doing can be done from any other schema, then that's where it should be done from.
Just don't do it.
If code in the Scott schema needs to acces DBMS_CRYPTO, then grant the access.
|
|
|