Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
midi25
Starting Member
24 Posts |
 Posted - 2005-05-23 : 06:41:17
|
| Hi what are the best methods to enable encyption of passwords in a db? Do I have to use a encytption provider layered between my UI and the DB. Which then encrypts and decrypts IO. Will the extra overhead of encyrpting and decrypting stings, result in any major performance degredation when scaled.??What do you use. |
|
|
AjarnMark
SQL Slashing Gunting Master
3246 Posts |
Posted - 2005-05-23 : 18:52:58
|
| This is a huge question and can be debated extensively, I'm sure. The short story to remember is that, yes, encrypting and decrypting data will cause performance degradation. How much is hard to say without running performance metrics, but in general, the more items that need to be encrypted/decrypted, the slower it will go.Another part of the debate is whether passwords should be encrypted or hashed. Hashing is a 1-way encryption and cannot be decrypted. When doing this, you then have to have a way to compare the encrypted form of the password to determine if there is a match. A side-effect of this is that you can never tell the user what their password was if they forget it. Instead, you have to provide a mechanism for them to change their password after being validated in some other manner. This is more secure, and more work.This whole subject can be such a big deal, I strongly encourage you to be ready to spend a lot of time in researching and understanding the issues on all sides.---------------------------EmeraldCityDomains.com |
 |
|
|
midi25
Starting Member
24 Posts |
Posted - 2005-05-24 : 08:22:15
|
| Thanks for the reply. I am new to SQL and have spent much of my time working with .Net. Now I am embarking on an application design and exam 70-229. So I need to start getting into SQL best practices. I also found a nice little article talking about MD5 one way encryption and salting. These measures look fairly sercure. Am not to bothered about whether the password can be retreived if they forget it. They will have to request a new one and then reset it later. Thanks |
|
|
|
AndyB13
Aged Yak Warrior
583 Posts |
Posted - 2005-05-24 : 09:30:58
|
SQL server has 2 encryption functions. Undocumented and not very strongHeres an example, if the passwords match it returns 1 else 0DECLARE @Password varbinary(255)SET @Password = PWDENCRYPT('MyPassword')SELECT PWDCOMPARE('MyPassword',@Password,0)Remember this is undocumented and unsupportedAndyBeauty is in the eyes of the beerholder  |
|
|
|
AjarnMark
SQL Slashing Gunting Master
3246 Posts |
Posted - 2005-05-24 : 12:12:32
|
| As Andy points out, PWDENCRYPT is not very strong, but it is easy. So, I guess the question is whether you're encrypting to deter nuisance users, who really should be locked out anyway, or if you really have confidential info. I used to hear a lot of talk about MD5 and SHA-1. Not sure if they are still the latest & greatest or not. But they'd certainly be a good start. And salting the hash is an interesting puzzle itself, that is, to decide how you're going to store the salt, and whether to use a different salt for every row, which I believe is recommended. Enjoy the adventure!---------------------------EmeraldCityDomains.com |
|
|
|
|
|
|
|
|
Best method for encypting passwords in db