Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
Lumbago
Norsk Yak Master
3271 Posts |
 Posted - 2004-07-12 : 11:32:18
|
| I came across this script when I was trying to find info on how to MD5 a field in my database and was quite surprised. Is this a good way of storing passwords in the database?? (I still haven't found a way to MD5 a field in the database so if anybody know's I'm all ears):DECLARE @Encrypt varbinary(256)DECLARE @Decrypt varchar(256)SET @Encrypt = (SELECT pwdencrypt('foo'))PRINT @EncryptPRINT pwdcompare('foo',@Encrypt,0)PRINT pwdcompare('foo1',@Encrypt,0)--Lumbago"Real programmers don't document, if it was hard to write it should be hard to understand" |
|
|
JasonGoff
Posting Yak Master
158 Posts |
Posted - 2004-07-13 : 06:53:48
|
| Depends how secure you want it to be. See http://www.theregister.co.uk/2002/07/08/cracking_ms_sql_server_passwords/ |
 |
|
|
Merkin
Funky Drop Bear Fearing SQL Dude!
4970 Posts |
Posted - 2004-07-13 : 09:54:37
|
Yeah, pwdencrypt isn't industrial strength, then again, they aren't recommending you use it  There is a 3rd party extended stored proc around called xp_Crypt that will do a good job, or you can hand off the encryption of data and other heavy lifting to an external process (i.e. your application). If you are using .NET it makes working with encryption APIs really simple.The other school of thought is that you should put the effort into just securing your database and making sure only the right people have access. If your system gets compromised, chances are any hacker will be able to find the encryption key around somewhere. Then again, you will slow them down, and every measure counts.Damian |
|
|
|
Lumbago
Norsk Yak Master
3271 Posts |
Posted - 2004-07-13 : 10:08:03
|
| I read a little about pwdencrypt and allthough not very secure it would probably good enaugh for storing passwords in the database, as it naturally is locked down somewhat good in the first place. I also found xp_crypt but infortunately I had to pay for it and I find it somewhat annoying that I have to pay for something that is firstly alot more than I need and secondly "open source". So if you know of how to get the xp_md5 only for free, or know where I can find a dll to install I'll be a happy camper. I was actually thinking about using it for matching long strings of commaseparated id's, so instead of trying to match a variable number of characters (anything from 10 to 1000 characters) I thought it would be better to just match the 32-character hashed string. Any thoughts about this? I just wanted to do it for efficiency, but I'm not sure if it actually will be more efficient or not... |
|
|
|
kselvia
Aged Yak Warrior
526 Posts |
|
|
Lumbago
Norsk Yak Master
3271 Posts |
Posted - 2004-07-13 : 15:37:08
|
| Wow Ken, I have tried to access the codeproject-page numerous times today without luck but now it worked like a charm! Thanx alot :)Any thoughts on what would be better; comparing variable length strings with commaseparated id's directly or comparing a hash of the commaseparated id's (which would be shorter but takes more time to create)? |
|
|
|
|
|
|
|
|
pwdencrypt??