| Author |
Topic |
|
Incognito
Starting Member
49 Posts |
 Posted - 2003-03-13 : 06:10:43
|
| Hello folks,I have a table with the following columns:username, varchar(50)password, varchar(50)The security of the db is good and as DBA I am the only one who can see the password column. But I dont want that. Instead of the password I like to see ************ . I remember in access you could use an input mask PASSWORD. Can I do this for SQL SERVER 2000 too ?Who o who can help me ?Thnx for the answers,Gokhan |
|
|
nr
SQLTeam MVY
12543 Posts |
Posted - 2003-03-13 : 06:13:53
|
| You are dba so you should be able to see and maintain all data.You can save the password encrypted.orIf you don't select the field (or select '*****' in it's place) then you won't see it.For other people just give a view or SP which doesn't have the field.You think security is good so I don't see the problem.==========================================Cursors are useful if you don't know sql.DTS can be used in a similar way.Beer is not cold and it isn't fizzy. |
 |
|
|
samsekar
Constraint Violating Yak Guru
437 Posts |
Posted - 2003-03-13 : 06:35:26
|
| The function ENCRYPT will do. I don’t see any description on this specified function.Can anybody help to know, what is the encryption format? How to decrypt?select encrypt('sekar')Result : 0x730065006B0061007200Sekar~~~~Success is not a destination that you ever reach. Success is the quality of your journey. |
|
|
|
Arnold Fribble
Yak-finder General
1961 Posts |
Posted - 2003-03-13 : 07:34:27
|
| That is not encrypted. It's not even slightly obscured!SELECT CONVERT(varbinary(8000), CONVERT(nvarchar(4000), 'sekar')) |
|
|
|
robvolk
Most Valuable Yak
15732 Posts |
Posted - 2003-03-13 : 07:34:41
|
| SQL Server does not offer a decrypt function, and the encrypt and pwdencrypt functions have fairly weak security anyway and should be avoided. In any case they can't display a masked password as "*********". And I don't understand what you mean by that, the password is only masked at the client interface/application layer, not in the database itself. Simply DENY SELECT permissions on the password column to everyone, if they try to query it they'll get an error. |
|
|
|
Arnold Fribble
Yak-finder General
1961 Posts |
Posted - 2003-03-13 : 08:05:15
|
| And if you really don't want to store plaintext passwords in the database, use a cryptographic hash like SHA-1 or MD5. That way, you store a hash of the password, and then when someone tries to log in, you compare the hash of the password they typed with the hash of the password in the database. |
|
|
|
Incognito
Starting Member
49 Posts |
Posted - 2003-03-13 : 08:09:35
|
It's is a privacy issue.   I saw a password this morning (actually I was surfing in the DB and I was schoked by which I saw !!! )It is clear for me now.The MD5 idea is very interesting, I used it once in an MySQL db so it has to work for SQL Server to !Thnx for your time again !GokhanEdited by - Incognito on 03/13/2003 08:13:20 |
|
|
|
nr
SQLTeam MVY
12543 Posts |
Posted - 2003-03-13 : 08:45:39
|
| Thought so:>> The security of the db is good is not very true if you can see user passwords.Usually passwors are not held in clear in a database unless they are not meant to be a security feature (i.e. they are just to make sure the user types in the userID they mean to).==========================================Cursors are useful if you don't know sql.DTS can be used in a similar way.Beer is not cold and it isn't fizzy. |
|
|
|
rjpaulsen
Starting Member
9 Posts |
|
|
nr
SQLTeam MVY
12543 Posts |
Posted - 2003-03-13 : 10:39:44
|
| How are the users inputting the password?Transmitting a clear password could be considered a bad thing.==========================================Cursors are useful if you don't know sql.DTS can be used in a similar way.Beer is not cold and it isn't fizzy. |
|
|
|
samsekar
Constraint Violating Yak Guru
437 Posts |
Posted - 2003-03-14 : 04:49:34
|
quote:
use a cryptographic hash like SHA-1 or MD5.
Interesting. I haven't heard about that  Arnold, Can you please suggest us good articles on that.Sekar~~~~Success is not a destination that you ever reach. Success is the quality of your journey. |
|
|
|
|
How to protect the password column ?