Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
Pinto
Aged Yak Warrior
590 Posts |
 Posted - 2011-09-12 : 04:34:45
|
| I want to store a password in a table.Is there a data type I can use so that others viewing the table cannot read the password (ie it is encrypted or hashed up) but if I want to view it I can. |
|
|
Kristen
Test
22859 Posts |
Posted - 2011-09-12 : 05:35:34
|
| Better that even you can't see it IMHO.Salt + Hash is the recommended way (Wikipedia will have the details).We store the "Salt + Hash password" to be used for comparison against the user's password attempt (and let them login if it matches).For a "Lost password" we have an additional field to store a one-time "Salt + Hash password" which we generate mechanically/reandomly and Email to the customer. We also have a time-limit expiry datetime (column) for this one-time password (so Customer has to use it within 2 hours)Our login lets a customer login with either their normal password, or the lost-password (if within time limit) as quite often people remember their "lost password"!We also have a lockout time and number of consecutive failed password attempts. After 3 consecutive failed attempts we set a lockout time of now + 1 hour (say). Each failure beyond that re-sets the lockout time of an hour (so this will be one hour after the dictionary attack ends).We don't publicise that the account is locked, so a real user will probably just keep retrying (or they can contact support, who can unlock their account - the user can provide enough personal information for Support to form a judgement)Two-way encryption is available in SQL Server, if you really want to have encrypted passwords that "you" can see. But if someone has hacked your system they will probably have access to the "keys" to the encryption too ... which is what the Salt + Hash is designed to solveSo I wonder how Sony (or whoever it was recently) managed to have millions of UserID AND passwords stolen? |
 |
|
|
|
|
|
Data Type and passwords