Results 1 to 2 of 2
  1. #1
    Join Date
    Mar 2008

    Unanswered: Login with encrypted password versus plaintext

    (Oracle 9i and 10g in use)

    This is a very basic question, and it might end up being platform/language dependent....

    I'm working on a series of web applications and rather than have the password to the db sit in plain text, I'd like for the password to be encrypted in the file.

    Some are in Perl using DBD::Oracle, some are in JSP (not by choice)... Does Oracle have some kind of method of doing this that is independent of language?

    An example of what I mean is (in perl)...

    my $dbh = DBI->connect("dbi:Oracle....", $user, "Password"...


    my $dbh = DBI->connect("dbi:Oracle....", $user, "Encrypted password"...

    Also, if this is a better method and anyone has a better idea for an authentication model, please share!

    Thanks all! (Hopefully my question isn't too vague... I've been known to do that in the past)
    Last edited by kreeves; 12-16-09 at 15:42.

  2. #2
    Join Date
    Oct 2002
    Cape Town, South Africa
    The most secure that you could ever make any application is not to store a password at all. You would ask the user to supply their username and password in order to form a connection to the database.

    In your case though, you need to connect as a specific user with a password saved. The location of this password is outside of Oracle's control and you will therefore have to encrypt the password yourself. From Oracle's perspective, your application is some user attempting to connect. The encrypted password would be saved either in your code file (hopefully not) or in a config file. Your application code would have to read the encrypted password, decrypt it, and then supply it as input into your connect function. After that, Oracle takes care of the encryption between the application and the database itself along the SQL*Net connection.

    There are hundreds of encryption algorithms and components that could be used. You need to decide on how important the data is and how high the fences need to be (so to speak). If you just want to hide the password from prying eyes, then a simple base64 encode will probably suffice.

    Always remember though, that your code file containing your decrypt and connect code could be viewed and then used to decrypt and show your password.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts