Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

storing passwords in SQL Server

Tags:

sql-server-2008

What is the recommended practice for storing user passwords in SQL Server 2008?

I am storing user details for an intranet, and would like to get advice on best way to store a user details such as name, password and user access privillages etc. I am thinking of creating a nvarchar column and then encrypt this text before inserting into the table.

like image 400
Richard Avatar asked May 18 '09 05:05

Richard

People also ask

How are passwords stored in SQL Server?

Since SQL Server 2012, passwords are stored using the SHA_512 hashing algorithm with a 32-bit salt.

Where are SQL Server passwords stored?

Where are user names and passwords stored in SQL Server? - They are stored in master db in the sysxlogins table. - The passwords are not stored in plaintext. - To disable the ability to store the user name and password, you must to create a table called MsysConf in the SQL database.

What is the best practice in storing passwords in a database?

In most cases, storing the representation of a password in the database is the proper thing to do. To do this, you have to hash the password using a different salt for every user using a one-way algorithm and store the result, removing the original password.

How passwords are stored in database?

The password entered by user is concatenated with a random generated salt as well as a static salt. The concatenated string is passed as the input of hashing function. The result obtained is stored in database. Dynamic salt is required to be stored in the database since it is different for different users.

2 Answers

Encryption for sensitive data is good. However, with passwords, you should never need to know the original value, and since anything which is encrypted can also be decrypted, you put that information at jeopardy of being discovered.

Instead, you should keep a hash of the password. This process takes the value and generates what amounts to a very complicated checksum. Given the number, there's no way to go back to the original password, which increases the security of such information. When you want to know whether someone has given you the correct password, you hash the value they gave you and compare the hashes.

Security is a complicated topic. Even with hashes, you can end up having a system that has significant security flaws. Getting the help of a security consultant is not a bad idea if nobody else on your team already has that kind of knowledge.

like image 27
Brad Wilson Avatar answered Sep 24 '22 23:09

Brad Wilson

The usual way to store password, is to use a hash function on the password, but to salt it beforehand. It is important to "salt" the password, to defend oneself against rainbow table attacks.

So your table should look something like that

._______._________________.______________. |user_id|hash             |salt          | |-------|-----------------|--------------| |12     |adsgasdg@g4wea...|13%!#tQ!#3t...| |       |...              |...           |

When checking if a given password matches a user, you should concatenate the salt to the given password, and calculate the hash function of the result string. If the hash function output matches the hash column - it is the correct password.

It is important to understand however that the salt-hash idea has a specific reason -- to prevent anyone with access to the database from knowing anyone password (it is considered difficult problem to reverse a hash function output). So for example, the DBA of the bank, wouldn't be able to log-in to your bank account, even if he has access to all columns.

You should also consider using it if you think your users will use a sensitive password (for example their password for their gmail account) as a password to your website.

IMHO it is not always a security feature which is needed. So you should think whether or not you want it.

See this article for a good summary of this mechanism.

Update: It is worth mentioning, that for extra security against targeted attack for reversing individual password's hash, you should use bcrypt, which can be arbitrarily hard to compute. (But unless you're really afraid from mysterious man in black targeting your specific database, I think sha1 is good enough. I wouldn't introduce another dependency for my project for this extra security. That said, there's no reason not to use sha1 100 times, which would give a similar effect).

like image 194
Elazar Leibovich Avatar answered Sep 24 '22 23:09

Elazar Leibovich
Sign in to Comment

Related questions

how to create and call scalar function in sql server 2008
Get the list of stored procedures created and / or modified on a particular date?
How do I find a disabled index on SQL server 2008
An attempt to login using SQL authentication failed
concatenate two database columns into one resultset column
Trimming text strings in SQL Server 2008
Update Top 1 record in table sql server [duplicate]
How to find all trigger associated with a table with SQL Server?
How to check if cursor exists (open status)
How to deploy SQL Server Compact Edition 4.0?
"Primary Filegroup is Full" in SQL Server 2008 Standard for no apparent reason
SqlServer is in script upgrade mode
What is the right way to populate a DropDownList from a database?
Deleting a SQL row ignoring all foreign keys and constraints
Insert/Update/Delete with function in SQL Server
T-SQL substring - separating first and last name
SQL Server 2008 R2 Stuck in Single User Mode
Count records for every month in a year
The request failed or the service did not respond in a timely fashion?
How to describe table in SQL Server 2008?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!