Re: Storing passwords in a database
- From: Thomas Mueller <nospam@xxxxxxxxxxxx>
- Date: Tue, 21 Nov 2006 09:35:36 +0100
Hi Mikael,
Mikael Lenfors wrote:
We have a user register in a SQL server database. The users passwords are
currently stored in varchar fields in clear text! We now want to store
these passwords in encrypted form. What is the best way to do this?
The best way is to not store the passwords at all if it can be avoided. If
you only need to verify them, use some kind of hash, that is: Store a hash
and verify a logon by calculating the hash of the password given by the
user and comparing it to the hash you stored in the database.
This means that there is no way of recovering the password (but also no way
of using that database to try and logon into other systems).
For changing the password:
1. Require the user to enter his old password and twice the new one.
2. Check the old password against your database, if it doesn't match, exit
3. Check whether the new passwords match, if not, exit
4. Check whether the new password meets your requirements (Length,
complexity, difference to the previous one (you just got that in step 1)
and lastly that it isn't one of the last n passwords the user had (by
comparing it to the hashes of these, see step 5), if it doesn't qualify,
exit
5. Store the hash of the old password so it will be available for step 4 in
the future
6. Store the hash of the new password
MfG
twm
.
- Follow-Ups:
- Re: Storing passwords in a database
- From: John Herbster
- Re: Storing passwords in a database
- References:
- Storing passwords in a database
- From: Mikael Lenfors
- Storing passwords in a database
- Prev by Date: Re: Sql Date Question
- Next by Date: Re: Storing passwords in a database
- Previous by thread: Re: Storing passwords in a database
- Next by thread: Re: Storing passwords in a database
- Index(es):
Relevant Pages
|
