January 19, 2009 at 7:15 am
The Gurus,
Could you please, tell me how to hide the content of a password column in the database table? I want the content to show as xxxxxxxxxx instead of mypassword for example.
Many thanks in advance.
Regards,
Sahoong.
January 19, 2009 at 7:31 am
You can look up Encryption on BOL. That would be the best. Or let your App handle the encryption and save the encrypted data in the password Field. And decrypt in the application layer.
-Roy
January 19, 2009 at 7:51 am
Thanks so much Roy. I'll do that.
January 19, 2009 at 8:01 am
If you don't need to show the password ever, you can use a one way hash with pwdencrypt()
January 19, 2009 at 7:23 pm
Aren't there about 10 million articles on how to break pwdencrypt() ?
--Jeff Moden
Change is inevitable... Change for the better is not.
January 19, 2009 at 8:21 pm
Roy Ernest (1/19/2009)
You can look up Encryption on BOL. That would be the best. Or let your App handle the encryption and save the encrypted data in the password Field. And decrypt in the application layer.
We do that for CC #s with the xp_crypt product.
January 20, 2009 at 1:20 am
If you use a decent one way encryption routine, you never need to decrypt the passwords. Just use the same encryption routine when the user enters their password, and if the encrypted result matches the value stored in the table, the user is authenticated. There's lots of good information on this on the net, and I don't think it's that hard to write a routine using a decent hashing algorithm to do this.
We get around the whole password issue in our apps by using the LAN ID to drive everything. This isn't really an option when you have external parites accessing an app, say on a website, but for internal apps it's definitely the way to go. Eliminates the need to have users change passwords periodically for the app, as they have to change them on the LAN. Much harder to spoof as well, assuming users keep their LAN ID passwords reasonably secure (most of our users are authenticated on the LAN with smart cards, so there's even less chance of spoofing).
January 20, 2009 at 6:13 am
Ross McMicken (1/20/2009)
If you use a decent one way encryption routine, you never need to decrypt the passwords. Just use the same encryption routine when the user enters their password, and if the encrypted result matches the value stored in the table, the user is authenticated. There's lots of good information on this on the net, and I don't think it's that hard to write a routine using a decent hashing algorithm to do this.We get around the whole password issue in our apps by using the LAN ID to drive everything. This isn't really an option when you have external parites accessing an app, say on a website, but for internal apps it's definitely the way to go. Eliminates the need to have users change passwords periodically for the app, as they have to change them on the LAN. Much harder to spoof as well, assuming users keep their LAN ID passwords reasonably secure (most of our users are authenticated on the LAN with smart cards, so there's even less chance of spoofing).
I beleive he is talking about Customer passwords. Not the User passwords.
-Roy
Viewing 8 posts - 1 through 7 (of 7 total)
You must be logged in to reply to this topic. Login to reply