Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
elwoos
Master Smack Fu Yak Hacker
2052 Posts |
 Posted - 2005-08-10 : 08:04:22
|
| The App I babysit has a table for users (including passwords - in clear text I might add!!)I'm trying to create some web pages that use this combination of username and password but would like it to be a bit more secure than it is. I know that ASP.NET can hash passwords and that I can then pass it to a sproc. My question is - what do I do with it then when it gets to the sproc? I don't entirely understand hashing though I know it's a one way function. How can I use the hashed value to ensure that the correct password was entered and how do I hash the values in SQL?I would appreciate any comments or pointersMany thankssteveAlright Brain, you don't like me, and I don't like you. But lets just do this, and I can get back to killing you with beer. |
|
|
spirit1
Cybernetic Yak Master
11752 Posts |
Posted - 2005-08-10 : 08:10:18
|
well you save the hashed value in the db and then compare the hashed table in db with the one entered.Go with the flow & have fun! Else fight the flow  |
 |
|
|
elwoos
Master Smack Fu Yak Hacker
2052 Posts |
Posted - 2005-08-10 : 09:36:36
|
| Thanks Spirit. Can SQL create the hashed value or do I have to do it somewhere else?The other thing I don't understand is this. An example of a hash function would be RIGHT(MyPassword,1), so for example if my password is "SQL Team" then the hash value is m. BUT if my password is "Item" then the hash value is the same. I realise that hashing is more complex than this but if a hash value is unique for any given password then how can ot be a one way function? i.e. if two passwords give the same hash value how do you know that someone has provided the right password?steveAlright Brain, you don't like me, and I don't like you. But lets just do this, and I can get back to killing you with beer. |
|
|
|
spirit1
Cybernetic Yak Master
11752 Posts |
|
|
Lumbago
Norsk Yak Master
3271 Posts |
Posted - 2005-08-10 : 10:52:23
|
| MD5 is awesome for hashing and it creates a 32-character string consisting of characters and numbers that is said to be unique. I can't promise 100% uniqueness but considering that MD5 creates a 32 character string regardless of the length of the value beeing hashed I would believe that it's safe enough. I have an extended stored procedure and a user defined function that will let you create md5's in a bliss...let me know if you need it or google "sql server md5" or something.--Lumbago"Real programmers don't document, if it was hard to write it should be hard to understand" |
|
|
|
Michael Valentine Jones
Yak DBA Kernel (pronounced Colonel)
7020 Posts |
Posted - 2005-08-10 : 11:01:27
|
It is possible for two passwords to have the same hash, but the chances are very small. Even with a simple algorithim like SQL Servers BINARY_CHECKSUM() function, you only have one chance in about 4 billion of another password having the same checksum.quote:
Originally posted by elwoos
Thanks Spirit. Can SQL create the hashed value or do I have to do it somewhere else?The other thing I don't understand is this. An example of a hash function would be RIGHT(MyPassword,1), so for example if my password is "SQL Team" then the hash value is m. BUT if my password is "Item" then the hash value is the same. I realise that hashing is more complex than this but if a hash value is unique for any given password then how can ot be a one way function? i.e. if two passwords give the same hash value how do you know that someone has provided the right password?steveAlright Brain, you don't like me, and I don't like you. But lets just do this, and I can get back to killing you with beer.
CODO ERGO SUM |
|
|
|
|
|
|
|
|
Securing Passwords and Hashing