October 30, 2009 at 2:42 pm
Anyone can please let me know how we can mask the password field in sql server, may be a stored procedure or a trigger or a script that will do it for existing users and can be used for futiure users ?
this would be really helpful
thanks
October 30, 2009 at 2:47 pm
Do not store passwords in a table. Create hashes of the passwords and store the hash. That way, the password cannot be recovered from the value in the table.
When they login, hash the password they enter, and compare that to the hash value in the table.
October 30, 2009 at 2:48 pm
What do you mean by "mask" the password field?
Passwords in SQL Server are already hashed. If this is a user table, you can hash those. The values in a table that you store are not entered into SQL Server, they are entered into an application.
October 30, 2009 at 3:03 pm
Sorry if i was not descriptive enough but what i want to know is when the password is stored in the login table as of now the DBA can see the password for every user, i wanted to find out a way that would mask the contents of the password field in the table so that the DBa or anyone else who has access to the table cannot see the password.
Please let me know how can we do this or how we "hash" the passwords
thanks
October 30, 2009 at 4:23 pm
There are any number of ways you could hash things. Here's a quick article on the functions you use (http://weblogs.asp.net/bradygaster/archive/2003/11/26/39935.aspx).
Basically instead of
insert users (username, password) select (@user, @pwd)
you'd do a
insert users (username, password) select (@user, pwdencrypt(@pwd))
October 30, 2009 at 4:55 pm
Hi
If you can tell us the platform (java, .net, c++, ???= you are using, I'm pretty sure anybody can show you a direction to go or even a little sample.
Greets
Flo
November 1, 2009 at 1:55 pm
I am using coldfusion
thanks
November 2, 2009 at 9:03 am
Has anyone using coldfusion has encoountered this situtation before any help would be really appreciated
thanks
November 2, 2009 at 9:09 am
I have to admit I wouldn't do the hashing IN the application, I would pass the clear-text password to a stored procedure that would pass back an indicator and any other important user information indicating that the password was good. The stored procedure would handle hashing the password in the same way the stored version is already hashed and then just compare the hashes..
CEWII
Viewing 9 posts - 1 through 8 (of 8 total)
You must be logged in to reply to this topic. Login to reply