Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.misc -> Re: Storing encrypted strings in a password column

Re: Storing encrypted strings in a password column

From: Vladimir M. Zakharychev <bob_at_dpsp-yes.com>
Date: Wed, 18 Sep 2002 14:55:12 +0400
Message-ID: <am9m3d$3jq$1@babylon.agtel.net>


Well, for those security types I have one saying: any symmetric encryption algorithm is as secure as the place where you store encryption keys. You can use whatever symmetric algorithm, be it 3DES, IDEA, CAST, Blowfish or AES (or any other) - if I can get the encryption key you used, I can decrypt your data. For passwords, cryptographically strong hashes is probably the only really secure choice. You can verify if passwords match using their hashes, but you can't get the password in plain text from its hash, hence you can't easily break into system even if you collected hashes for all passwords. As for the hash length and algorithm - it's actually equally hard to brute-force MD5-128 or SHA-160 (are you certain you want those extra 8 bits?), but MD5-128 takes less space to store, so I would go for it. But it's your choice of course - if those security people will feel themselves more comfortable with SHA-160 - so be it. :)

--
Vladimir Zakharychev (bob@dpsp-yes.com)                http://www.dpsp-yes.com
Dynamic PSP(tm) - the first true RAD toolkit for Oracle-based internet applications.
All opinions are mine and do not necessarily go in line with those of my employer.


"Jurgen Lindt" <nospam_at_nospam.com> wrote in message
news:tEQh9.20771$1C2.1431684_at_bgtnsc04-news.ops.worldnet.att.net...

> Vladimir,
>
> No, it's not imperative, you're right.
>
> Points taken and I understand what you say. It does make sense. The thing
> is, the security types where I am, are "hell bent" on Triple DES encryption.
> If we just store the hash of any passwords, at best, this will be 168-bit
> SHA. In other words, not using their prized and beloved "Triple DES".
>
> I think now you mention it, storing the hash of the passwords makes sense.
> We're using the Microsoft Cryptography API, which seems fairly robust. (did
> I say a Microsoft product was robust?)
>
> Many thanks.
>
> JL
>
>
Received on Wed Sep 18 2002 - 05:55:12 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US