June 26, 2010 at 4:35 am
Hello,
how is possible store password in DB ? I think that use sha1 or other function is good idea?
does any body has this function ?
thx Radek
June 26, 2010 at 5:27 am
Store the hash of the password, not the password itself.
http://msdn.microsoft.com/en-us/library/ms174415%28SQL.100%29.aspx
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
June 26, 2010 at 1:22 pm
Since HASHBYTES doesn't use any form of encryption key, I'd like to suggest that someone with just a tiny bit of time on a GOOGLE search can easily find a code cracker or maybe even write their own. People who attempt to create their own encryption using such methods are frequently hacked and frequently become unemployed and unemployable for the future. Don't use HASHBYTES as a form of encryption.
--Jeff Moden
Change is inevitable... Change for the better is not.
June 26, 2010 at 1:37 pm
Right,
so tell me right wa for safery store password.. ?
THX
June 26, 2010 at 1:42 pm
Jeff Moden (6/26/2010)
Since HASHBYTES doesn't use any form of encryption key, ... Don't use HASHBYTES as a form of encryption.
It's not a form of encryption, it's a one way cryptographic hash using one of the standard algorithms - MD2, MD4, MD5, SHA or SHA1.
Hashing's often a better option for passwords than encryption as hashing has no key to manage because it cannot be decrypted, it's a one-way algorithm. Hence there's no worry about securing the key (a major concern with reversible encryption)
http://en.wikipedia.org/wiki/Cryptographic_hash_function
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
June 26, 2010 at 1:44 pm
ok thank you.
Radek
June 27, 2010 at 5:26 pm
GilaMonster (6/26/2010)
Jeff Moden (6/26/2010)
Since HASHBYTES doesn't use any form of encryption key, ... Don't use HASHBYTES as a form of encryption.It's not a form of encryption, it's a one way cryptographic hash using one of the standard algorithms - MD2, MD4, MD5, SHA or SHA1.
Hashing's often a better option for passwords than encryption as hashing has no key to manage because it cannot be decrypted, it's a one-way algorithm. Hence there's no worry about securing the key (a major concern with reversible encryption)
Heh... fine... get into word semantics if you'd like but they're really nothing more than checksums that can be duplicated (and thus reversed) fairly easily over a relatively short period of time. The problem is that people use it as a form of encryption (because they don't really understand the semantics) and it's a whole lot easier to brute force a reversal than it is with a certified encryption method. HASHBYTES is still good for digital signatures if the original text isn't available but the Chinese have found a way to get around even that on a "regular size" document... just imagine how fast someone could plank even an 8 character password.
My recommendation will continue to be contrary to yours in using HASHBYTES to obfuscate relatively simple passwords and user names(I agree to disagree :-D)... I wouldn't use HASHBYTES to "protect" anything. It only takes a max of about 832 billion guesses to break a 6 character password that includes any combination of upper/lower case letters, digits, and visible special characters and only 80.1 trillion guesses to break a 7 character password similar in nature. It doesn't take very long to make such numbers of guesses today even on a laptop computer. Usually, it'll only take half that number of guesses on the average just because people don't usually pick the last possible password.
--Jeff Moden
Change is inevitable... Change for the better is not.
Viewing 7 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply