Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to store passwords in database securely?

Tags:

sql-server

passwords

I have read that one way to store passowrds in a database is by the following way. To have a database table with columns username, hash and salt. The salt would never be shown.

I generate the hash with password + salt. The password is send by the user and is not stored in the database. If the generated hash is the same as that stored in the database, the password is correct.

But I have my doubts. If I send the password, it could be sniffed while it is transmitted by the wire, so I think that it is neccesary to encrypt the communication too. So using a hash and salt is only to protect the data from the administrator? I mean that if I store the password in database, an administrator could easily access all information. If I store the hash, the administrators can't access to the information of users becasue the administrator don't have the half of the information, only the salt and not the password. However, while the user need to send the password, this could be sniff by someone, so the password is exposed.

How is the best way to protect the information of the user?

Thanks.

like image 963
Álvaro García Avatar asked Feb 17 '23 23:02

Álvaro García

2 Answers

Hashed passwords also protect your data from outsiders. Imagine, if someone accessed your data using a SQL injection he would only get a hash & not the pass. You can use HTTPS for secure communication over your network & use your existing table of hashed passwords for a good security model. Secure salted password hashing

like image 84
Zo Has Avatar answered Mar 02 '23 00:03

Zo Has

If you have to transmit the password in clear then you must protect it in transit. From browser to http server you need SSL/TLS. From application server to database you need encrypted connections.

There are schemes that don't require the transmission of password, the best know being HTTP Digest. You can store Digest's HA1 part in the database. The realm secret and user name contained in the HA1 digest contain as an effective protection against rainbow tables, but the fact that Digest is still based on MD5 makes the scheme relatively weak against a sufficiently well equipped brute force. However such a brute force would only reveal a colission that is specific to the given user name and realm, thus making it of very little use.

like image 42
Remus Rusanu Avatar answered Mar 01 '23 23:03

Remus Rusanu
Sign in to Comment

Related questions

Insert row with id into a table with auto increment on
Query for how to add the missing dates in sql
What is the SQL Server equivalent to a linked table in MS Access?
how to change column name and change a value in a table via a stored procedure?
SQL Server stored procedure that returns processed records number
Error Log records in SSAS
SQL Select then Delete
Why is T-SQL EXEC not returning decimals?
Semantic Web - Store app data directly in RDF or store in SQL and export/import later
How to select lowest level in hierarchy from table
SQL records only for 3 consecutive months
MS SQL: Auto-increased key conflict [duplicate]
How to create multiple stored procedures from .sql files
SQL Server VIEW results different to the SELECT
Select element from XML
Can I grant a database user permission to create views in a schema?
SQL Server: Cast bool as integer
Unable to comprehend why a WHERE clause is being accepted [duplicate]
Select minimum value in group
T-SQL Select join with condition

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!