Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

storing encrypted password in a field

Status
Not open for further replies.

rk68

Programmer
Jul 15, 2003
171
IN
Hi,

I have Login table with Login ID & Password field. I want to store encrypted password in the "password" field (similar to MD5 in SQL).
What would be the field type of password?


Thanks,
RAJ
 
passwords should NEVER be stored, even if encrypted. Calculate a hash using a strong algorithm (see dbms_crypt) to verify an entered password you would put the entered password through the same hash and compare the two fields. if they match then they get in. This is exactly what oracle does in it's database. If you have an encrypted password then the encryption can be hacked.

Bill
Lead Application Developer
New York State, USA
 
thanks Bill.

Sorry for not putting the details.
Out PHP developers are working on a website which will have a Login Id & password and this is fetched from the oracle table.
So when the user login in 1st time with his/her Id & password the same is checked with the oracle table and if matches will allows to view the website; user is asked to change his password. So while the users changes his password, this changed password to be stored in encrypted format in the table.
one option is to pass the encrypted password (thru PHP code) to be stored in oracle table - how can I store the password in encrypted format in oracle ; what will be the field type & length? - something similar to "MD5"

TIA,
Raj
 
MD5 is a hashing algorithm, not an encryption algorithm. I would use the hash algorithm HMAC_SH512. It is not only the most complex hashing available on oracle but it also requires a secret key. See the following procedure DBMS_CRYPTO.HASH

The one way hashing is an open standard and can be generated by pretty much any application. The application and the database would have to know the secret key (store in oracle wallet) but because it's a one way hash it can't be hacked to return the original password.

You would never pass any password outside the database. The application would generate the hash after the user enters it in and then request the hashed password from the database and compare the two. this method is also secure from packet snooping

Bill
Lead Application Developer
New York State, USA
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top