Hi Everyone-

Okay, so this might be an odd question... I've checked out the security FAQs on multiple bulletin boards and heres what I need to figure out.

If I want SIMPLE security for my database, can I create a username and password field in a hidden table? Then, can I use those passwords to let people into the system. Everyone will have the same rights, the only thing that I want to distinguish is that each "user" can only change his/her password (and not others)... Does this make sense?

Any ideas on coding for this?

Thanks everyone!

You really need to provide more information. Security can be dependant
on the aplication, server, intranet, internet and so forth.
Tell us the app and if it's used in house or across the web, single use at a time mutli user, networked?

Don't know if you're thinking about putting the database on the Web but if so your plan looks fine to me.

And here's something quick I wrote about the concept for ASP pages:

ASP Design Tips - Login Page
http://www.bullschmidt.com/devtip-loginpage.asp

I'd suggest not storing the password in plain text.

A simple solution is to concatenate the user name with the password (optionally forcing upper or lower case if you want the password to be case-insensitive), then computing the CRC. This is small, quick, and very hard to break. It allows you to use an ordinary table instead of having to "hide it behind the curtains" to prevent a security breach. A CRC can be broken by brute force (it is expecially vulnerable to dictionary based attacks), but if you keep the details of just which attributes you use to salt the CRC a secret it becomes very tough to break.

When you create a new user, just pass their password through your CRC routine and store the result. When the user logs back in, pass their password back through the CRC routine and compare the new CRC with the CRC value stored in the table.

-PatP

Yes, encryption can definitely make the security more enhanced.