how can i c password

  • hi all,

    i have a table with user_name and User_password columns. Data type of user_password is varbinary(256). Last day i import this table in access and was stunned to c all passwords in general text. Where as when i open table in SQL Server 2000, i m unable to c except hex code. Then i write this sql statement to play a foul

    "select cast(user_password as varchar 256)from user "

    but i can just c first character of password.

    How can i use this querry to c all characters.

  • In general it's not good practice to have anyone "see" the passwords. From your description it sounds as though the column was created with encryption. This is done for a specific reason.


    Cheers,

    Alex

    Rogue DBA

  • I cannot answer your query question, although I have an idea, but in general passwords or encrypted passwords are not stored anywhere.

    What usually happens is the password value is appended with a random lump of data called a salt value, and then a one way hash algorithm is run to produce the value which is stored. Now when users enter a password it is pushed through the same process and the hashed value is compared with the stored one. This ensures that even stealing the database cannot benefit a would-be hacker.

    This implies the salt value is also stored which gives the hacker a clue but the wrinkle on this idea, which is gaining popularity, is to use other bits of row data to make up the salt value which is unique to the row thus making it just that bit more difficult to crack.

    Mike L (SQL Server newbie)

  • You can simply do a basic XOR operation on every character in the password:

    // C++ code

    char* pass;  // contains the user's password

    char* newpass = new char[strlen(pass)+1];

    for(int i=0; i<strlen(pass); i++)

         newpass = pass ^ i;

    This code is used to encrypt & decrypt any password in your database.

    I don't know if its possible to do it in T-SQL (I have not much experience in T-SQL).

    Ezz Khayyat

  • The XOR encoding approach might stop a casual thief (it's certainly better than nothing) but the algorithm is way too easy to crack.   Indeed a hacker will probably LOOK for a simple XOR approach initially...

    If you have some programming abilities, suggest you use one of the cryptography algorithms built into the .NET Framework.  What we did was to encrypt our passwords using the .NET "RijndaelManaged" Class,  and store the encrypted passwords in a database table.  We then retrieved the passwords from the table and unencrypted them in our ASP.NET application when we needed to access them.  Here's a link to get you started -- with sample source code!

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfsystemsecuritycryptographyrijndaelmanagedclasstopic.asp

     
  • if it is encrypted , then why after exporting this table into access , i m able to c all passwords,

  • if it is encrypted , then why after exporting this table into access , i m able to c all passwords,

  • The password is probably stored using Unicode (wide-char) not ASCII.  Try using:

    select cast(user_password as nvarchar (256))from user

    Example:

    create table #user (username varchar(20), userpassword varbinary(256))

    go

    insert into #user (username,userpassword) values ('ascii',convert(varbinary(256),'123abc'))

    insert into #user (username,userpassword) values ('wide',convert(varbinary(256),N'123abc'))

    go

    select username,cast(userpassword as varchar(256)) as ASCIIPWD from #user

    select username,cast(userpassword as nvarchar(256)) as WIDEPWD from #user

    go

    Results:

    username    asciipwd

    ascii             123abc

    wide             1

    username   widepwd

    ascii                ...

    wide                 123abc

    - John

     

Viewing 8 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic. Login to reply