Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: How should passwords be stored in a database?
Christer Palm <palm_at_nogui.se> writes:
> "Michael Vilain " wrote:
>> >> Passwords stored in databases aren't usually in clear text but rather >> encrypted.
No he's not. He's referring to things like: passwords for access to webbased services. They're usually stored in the clear inside the DB, since the web developers don't know what they're doing.
At the very least, the following should be done: (1) For each user listed in the DB, store a large random integer in a field called "salt". (2) The passward is concatenated with the salt, and then a hash is taken. For example, MD5 or SHA. (3) The hash is stored in the "password" field.
To perform authentication, take the user-supplied password, concatenate it with the locally stored hash, and compare with the value stored in the DB.
This is a major security concern, not only because of the risk of one site being compromised, but because people reuse passwords. For the people who are compromised in this way, NONE of their accounts should be considered safe. So the site maintainer is guilty of a major breach of privacy against his own users.
--Len.
-- Early to bed and early to rise makes a man tired and grumpy. -- Dan BernsteinReceived on Sun Sep 02 2001 - 05:48:37 CDT