Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
unclocked
Starting Member
1 Post |
 Posted - 2005-01-17 : 21:32:43
|
| This is my first post on this great forum.I am fairly new to the database world, and need some assistance.If designing a databases to store usernames and passwords, what is the best way to go about doing it? Does one store the actual passwords or encrypted passwords in databases?Assuming encrypted passwords are stored,when it comes to authentication, does the password stored first decrypted first, and then compared to what user entered? Or the user password is encrypted and compared to the already encrypted entry in database? |
|
|
jhermiz
3564 Posts |
Posted - 2005-01-18 : 00:41:29
|
Depends how secure you want the application, if its not too much of a sensitive app and you don't work at a bank :) I've seen developers just store the password without encrypting it. If its a pretty tight application where you want to ensure a bit more security you can encrypt it. If it's being used internally you could get away with using windows permissions and setup each user (but I find that painful). If the password is encrypted you should decrypt on the other end, that is run your algorithm against the stored password and then compare. Either way you could do it the other way around and encrypt it and then compare, I tend to like to keep the load off the client.Jon
Keeping the web experience alive -- [url]http://www.web-impulse.com[/url]
|
 |
|
|
Kristen
Test
22859 Posts |
Posted - 2005-01-18 : 01:41:48
|
| If you want to be able to send a reminder of the password to the user (e.g. by email) you would need to store the password unencrypted, or with a reversible encryption method.Kristen |
|
|
|
|
|
|
Passwords and Databases