Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Store Passwords

Status
Not open for further replies.
pcawdron

pcawdron

Programmer
Jun 14, 2000
109
AU
How do you store application passwords in an encrypted form within MS SQL Server?

I have an IIS application with UID and PWD stored in a MS SQL Server table, but there's nothing stopping someone with database access from seeing user's passwords.

Any ideas?

As always, many thanks to the Tek-Tips community for its help

:)
 
Sort by date Sort by votes
Normally what you would do is encrypt the password via a 1 way has and store the resulting hashed password in the database. Then when someone logs in you encrypt the password they entered in thru the same 1 way hash and compair the 2. If they are the same then the user put in the right password. Since it is a 1 way hash there is no practical (aside from a brute force) method to derive the original password from the hashed one. Thus if someone does get access to your database they can't get peoples login....but then if they've got that far then they probably don't need someone elses password would they.
 
Upvote 0 Downvote
We use an encryption routine within our applications and store the encrypted values in the database. I believe this is the Microsoft recommended method to encrypt SQL Server data. There are some thrid party tools available for client appplications and for use in SQL Server (i.e., extended stored procedures).

See the MCP Magazine article at the following link. Near the end of the article, the author discusses encryption.


You can search the Internet for other links to SQL Server encryption articles and software.

If you want to get the best answer for your question read faq183-874 and faq183-3179.
Terry L. Broadbent - DBA
SQL Server Page:
 
Upvote 0 Downvote
Thanks for the input, looks like the 1-way hash will handle the problem nicely.

Oh, yes, you're right, if someone has got that far into the database they could do anything they want. What we're trying to avoid is a situation where someone would become aware of a UID and PWD and then go back into the application to make changes that would be attributed to this user as those changes would be indistinguishable from genuine actions taken by that user.

Many thanks,
Peter
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Cpreston
  • Locked
  • Question
Field change as caused issues to store procedure
Replies
19
Views
245
Andrzejek
Andrzejek
BeatriceC
  • Locked
  • Question
SQL Linked server StoredProcefure job creates temp files
Replies
1
Views
124
pjw001
pjw001
ghiehotamares
  • Locked
  • Question
How to call stored procedure to display records in fron-end data entry
Replies
1
Views
116
fredericofonseca
fredericofonseca
MacroAlan
  • Locked
  • Question
Insert results of huge query into my table with Stored Proc
Replies
1
Views
92
Olaf Doschke
Olaf Doschke
Webkins
  • Locked
  • Question
Need to replace FTP with a SQL Server stored procedure... 1
Replies
2
Views
131
johnherman
johnherman

Part and Inventory Search

Sponsor

Back
Top