Re: How should passwords be stored in a database?

The proper way to store passwords in an Oracle database. IMNSHCO, do it like (or similar to) the way Oracle does it: 1. Create a function to encrypt/hash the userid password combination. Add some salt if you wish so that the userid/password is a consistent length.
2. Wrap the fuctcion so that is not human understandable (keep a copy of your source because you won't be able to use the text in dba_source. 3. Each time a password is created or changed, process it through the function to get the value to store in the database. 4. Each time the password must be validated, pass the submitted userid/password combination through the function and compare the results with the value stored in the database for that user. If they match they are in, if not keep them out.

OR

If you must be able to return a password to the user who forgot his, then use the Oracle Obfuscation Tool Kit -- available in Oracle 8.1 + .

Of course, communicating the userid and password to the database is a issue for the communication layer and is not addressed here.

hth

AJ. Allen

Philip Koblence wrote:
>
> I have seen in many instances where website customers passwords are stored
> in databases like Oracle. What is a safer way to store passwords in
> databases? If a hacker breaks in to the databases he has access to all the
> passwords.
>
> Also people who use php or asp or perl scripts have passwords in their
> scripts for the database connections. If a hacker breaks in and sees these
> scripts he can easily find that login and password.
Received on Mon Sep 03 2001 - 10:52:10 CDT