Results 1 to 3 of 3
  1. #1
    Join Date
    Nov 2003
    Posts
    10

    Unanswered: password storage

    Hi everybody

    I am working on a school project where I am writing a software for course registration. I have different users Students, Faculty, and Administrator. They are allowed to log in using their ID and password. I was wondering how could i store password and userID securly. Should I store it in the individual table or separately?

    Any suggestion is appreciated. Also, if somebody has worked on this kind of project, please let me know.

    Thanks a lot

  2. #2
    Join Date
    Nov 2003
    Posts
    10

    Re: password storage

    [I am using SQL 2000.

  3. #3
    Join Date
    Jun 2003
    Location
    Ohio
    Posts
    12,592
    Provided Answers: 1
    You need to use what is known as "one-way" encryption. The good news is that this is simpler than "two-way" encryption where it is must be possible to both encypt and decrypt a text string. In one-way encryption you apply a function to encrypt the string, and then store the encrypted result in your table. When someone submits their password to log in, you apply the same encryption function to their password and then compare it to the encrypted version stored with their personal record. If the two match, you let the dude in.

    There are some built-in encryption functions within SQL Server which are simple to use. I think they are called dbencrypt and dbcompare, or something similiar. The disadvantage with these is that they are undocumented functions, and if you upgrade your database to a new version of sql server Microsoft does not guarantee that it will use the same encryption algorythm in future versions. The result (and this has happened in past upgrades...) is that the passwords your users submit no longer match the versions stored in your database. They must all be reset and new ones must be entered.

    You can write your own one-way encryption algorythm, or I have one that you can use that is more secure than the one supplied with SQL Server. (The built-in function has been cracked and the solution is available on the internet.)

    blindman

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •