Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: How should passwords be stored in a database?

Re: How should passwords be stored in a database?

From: <lbudney-usenet_at_nb.net>
Date: 02 Sep 2001 06:48:37 -0400
Message-ID: <m3sne5x3zu.fsf@peregrine.swoop.local> 





Christer Palm <palm_at_nogui.se> writes:


> "Michael Vilain " wrote:


>> 
>> Passwords stored in databases aren't usually in clear text but rather
>> encrypted.




> 

> I think Philip was referring to the password to access the database, not

> any passwords stored within the database...




No he's not. He's referring to things like: passwords for access to webbased
 services. They're usually stored in the clear inside the DB, since
the web developers don't know what they're doing.



At the very least, the following should be done: (1) For each user listed
in the DB, store a large random integer in a field called "salt". (2) The
passward is concatenated with the salt, and then a hash is taken. For
example, MD5 or SHA. (3) The hash is stored in the "password" field.



To perform authentication, take the user-supplied password, concatenate it
with the locally stored hash, and compare with the value stored in the DB.



This is a major security concern, not only because of the risk of one site
being compromised, but because people reuse passwords. For the people who
are compromised in this way, NONE of their accounts should be considered
safe. So the site maintainer is guilty of a major breach of privacy against
his own users.



--Len.



-- 
Early to bed and early to rise makes a man tired and grumpy.
				-- Dan Bernstein


Received on Sun Sep 02 2001 - 05:48:37 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US