Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: encrypt passwords and hold on Oracle tables

RE: encrypt passwords and hold on Oracle tables

From: Jared Still <jkstill_at_bcbso.com>
Date: Tue, 22 Aug 2000 07:32:27 -0700 (PDT)
Message-Id: <10597.115219@fatcity.com> 





Keep in mind that this method is insecure if you expect
anyone to actually try to crack the encrypted password.



Anyone fairly good with cryptography ( not me )would have 
your passwords cracked in a short time. 



Jared



On Mon, 21 Aug 2000, Abdul Aleem wrote:



> John,

> 

> Yes we also do that. We have our own encryption routine to save application

> user passwords in the database. To give you some idea, not the exact

> encryption ;) following is what we are doing. 

> 

> 1- Add a value (returned by an algorithm) to the ASCII of each character of

> password, to make it a non-keyboard character. The ASCII for the first

> non-keyboard character is 127. The ASCII for the first keyboard character is

> 32. The range of value to be added is therefore: 

> 127 - 32 = 95 (lower limit) and 

> 255 - 95 = 160 (upper limit). 

> 2- Store the encrypted password in the table

> 3- When user enters his/her password, the same algorithm encrypts the

> entered password and checks it against the stored one, instead of decrypting

> the stored password. This methodology saved us from writing decryption

> routine, if a user forgets password, we simply overwrite his old one using

> administrative rights. In the absence of decryption routine, no one can

> decrypt passwords. Further, the source code of encryption routine is

> available to a couple of senior developers only. Others use compiled code.

> 

> I am not an efficient in coding in PL/SQL, but it will look something like

> this.

> 

> User_password := :Block.Password ;

> Encrp_password := '';

> Position := 1;

> WHILE Position <= LENGTH( user_password )

> 	Encrp_password := Encrp_password + Algorithm( MIDSTR( user_password,

> position, 1 ));

>             Position := position + 1;

> LOOP;


> 

> HTH!


> Aleem

>  -----Original Message-----

> Sent:	21 August 2000 22:09

> To:	Multiple recipients of list ORACLE-L

> Subject:	Re: encrypt  passwords and hold on Oracle tables

> 

> On Tue, 15 Aug 2000, Ashish Shah wrote:

> 

> > you can try using package

> > dbms_obfuscation_toolkit.desencrypt...

> > 

> > This will encrypt and decrypt data for you...

> > 

> > the only problem is if someone knows how to

> > run this package to decrypt the data he can

> > have access to passwords...

> 

> 

> Knowing how to execute the package will not let

> you decrypt data unless you know what the key is.

> 

> 

> Jared

> 

> > 

> > well you can have a look.

> > 

> > Let me know if someone have any better way

> > securing passwds after encrypting it.

> > 

> > Thanks.

> > 

> > 

> > --- John Dunn <john.dunn_at_sefas.co.uk> wrote:

> > > Our development team want to control access to

> > > application functionality via

> > > 'logical' users. That is, a list of users and the

> > > application functions they

> > > can use will be maintained in a database table.

> > > Actual connection to the

> > > database would always be via one user(maybe the

> > > schema owner, maybe some

> > > other single specified user).

> > > 

> > > Does anyone else have applications that work in this

> > > way? What use do you

> > > use to connect to the database?

> > > 

> > > The 'logical' users would also have passwords that

> > > would need to be held on

> > > the database tables. Is there any (easy) way to

> > > encrypt a character string

> > > and store it on the database?

> > > 

> > > The front end application is Visual Basic using

> > > OO4O...but we use lots of

> > > PL/SQL too.

> > > 

> > > Database is Oracle 8.0.5

> > > 

> > > John

> > > 

> > >  

> > > -- 

> > > Author: John Dunn

> > >   INET: john.dunn_at_sefas.co.uk

> > > 

> > > Fat City Network Services    -- (858) 538-5051  FAX:

> > > (858) 538-5051

> > > San Diego, California        -- Public Internet

> > > access / Mailing Lists

> > >

> 

> Jared Still

> Certified Oracle DBA and Part Time Perl Evangelist  ;-)

> Regence BlueCross BlueShield of Oregon

> jkstill_at_bcbso.com - Work - preferred address

> jkstill_at_teleport.com - private

> 

> 

> -- 

> 

> -- 

> Author: Abdul Aleem

>   INET: abchaudhary-ho_at_beaconhouse.edu.pk

> 

> Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051

> San Diego, California        -- Public Internet access / Mailing Lists

> --------------------------------------------------------------------

> To REMOVE yourself from this mailing list, send an E-Mail message

> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in

> the message BODY, include a line containing: UNSUB ORACLE-L

> (or the name of mailing list you want to be removed from).  You may

> also send the HELP command for other information (like subscribing).

> 





Jared Still


Certified Oracle DBA and Part Time Perl Evangelist  ;-)
Received on Tue Aug 22 2000 - 09:32:27 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US