January 27, 2009 at 10:20 pm
Hi all,
I have created table name Personal it has two columns( name and password),i need to insert data to that table with encrypted password.then i need to view data from personal table therefor need to decrypt that password.i use MS-SQL 2000.i use undocumented function to encrypt the password.
as follows,
pwdencrypt('harsha')
but i don't know decrypt that encrypted password.and i need to view password again like 'harsha' after decrypt. please tell me how i do this.
thanks,
Harsha
January 29, 2009 at 2:15 am
Hi,
If all you are doing is comparing passwords you will not need to decrypt anything. Simply encrypt the supplied password and compare it with the password stored in your table. If the encrypted strings match, the unencrypted passwords match.
I would suggest that using an undocumented feature in any system is probably not the best way to go. There is a possibility that the feature will not be retained in future releases.
Hope this helps.
Quis custodiet ipsos custodes.
January 29, 2009 at 2:40 am
Shaun Stewart (1/29/2009)
Hi,If all you are doing is comparing passwords you will not need to decrypt anything. Simply encrypt the supplied password and compare it with the password stored in your table. If the encrypted strings match, the unencrypted passwords match.
No Shaun,
because pwdencrypt uses the current time when hashing a password, the hash will look different even though the password is the same.
See here for more detailed info
http://www.nextgenss.com/papers/cracking-sql-passwords.pdf
Shaun Stewart (1/29/2009)
I would suggest that using an undocumented feature in any system is probably not the best way to go. There is a possibility that the feature will not be retained in future releases.Hope this helps.
I agree with you on this one. And in fact pwdencrypt in SQL 2005 is different from 2000.
For comparing the passwords use pwdcompare. Here you can find an example of how to use it: http://geekswithblogs.net/veerji/archive/2004/07/13/8305.aspx
[font="Verdana"]Markus Bohse[/font]
January 29, 2009 at 2:43 am
Shaun Stewart (1/29/2009)
Hi,If all you are doing is comparing passwords you will not need to decrypt anything. Simply encrypt the supplied password and compare it with the password stored in your table. If the encrypted strings match, the unencrypted passwords match.
And if you are storing customers passwords then you shouldn't be able to decrypt the password - that is, I believe, not PCI compliant. Like Shaun said, you should probably only compare encrypted passwords.
Shaun Stewart (1/29/2009)
I would suggest that using an undocumented feature in any system is probably not the best way to go. There is a possibility that the feature will not be retained in future releases.Hope this helps.
++1
Peace,
Lukk
January 29, 2009 at 2:47 am
Humble Apologies,
Many thanks for the heads up on that one. I was unaware that current time was used in generating the hash.
Quis custodiet ipsos custodes.
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply