Re: pwd's in dbases

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Cowboy \(Gregory A. Beamer\) [MVP] (NoSpamMgbworld_at_comcast.netNoSpamM)
Date: 07/15/04

• Next message: Cowboy \(Gregory A. Beamer\) [MVP]: "Re: Hiding ASP source code"
• Previous message: Cowboy \(Gregory A. Beamer\) [MVP]: "Re: Script to edit PSD files"
• In reply to: John: "pwd's in dbases"
• Next in thread: Jeff Cochran: "Re: pwd's in dbases"
• Messages sorted by: [ date ] [ thread ]

---

Date: Thu, 15 Jul 2004 07:57:43 -0500

It depends on the implementation.

For ultimate security, encrypt with a one-way function. You then encrypt
prior to checking if the login is correct. In this system, a new PWD has to
be generated if the user loses it, as PWDs are not crackable (at least in
theory). I have seen systems that used a one-way hash, but these are not
really one way. PVCS used (may still use) a simple hex generator that threw
off the ASCII code according to a simple algorithm. Rather easy to crack for
anyone with a few minutes of time and an understanding of security. This is
not a good method for a really secure system, but most systems are not
otherwise set up to prevent internal hacking anyway. The hash will stop the
casual looker, while the encrypt will help even more.

NOTE: There are more prudent methods to secure databases, like eliminating
direct table access and forcing access via stored procedures.

-- 
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA
************************************************
Think Outside the Box!
************************************************
"John" <facke@facke.null> wrote in message
news:40f657ba$0$3961$a0ced6e1@news.skynet.be...
> Hi all,
>
>
>
> What is the best way to store a pwd into a dbase? I guess it is hashing
it.
> Read a lot regarding this issue to use md5 for it, but can i use AES for
it
> also? And what is that salt thing doing? And then, there is more, What is
> the best way to request a login and pwd from a user (client level) without
> using https or ntlm or something like that, just a clean html / asp thing.
>
>
>
> John
>
>
>
>

---

• Next message: Cowboy \(Gregory A. Beamer\) [MVP]: "Re: Hiding ASP source code"
• Previous message: Cowboy \(Gregory A. Beamer\) [MVP]: "Re: Script to edit PSD files"
• In reply to: John: "pwd's in dbases"
• Next in thread: Jeff Cochran: "Re: pwd's in dbases"
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages Re: HTTP and HTTPS sessions question ... become HTTPS only when log off. ... to enter your login credentials. ... you need their public key to send them an encrypted e-mail (which ... later want to encrypt e-mail that you send to them using their public key). ... (microsoft.public.windowsxp.general) Re: HTTP and HTTPS sessions question ... become HTTPS only when log off. ... to enter your login credentials. ... you need their public key to send them an encrypted e-mail (which ... later want to encrypt e-mail that you send to them using their public key). ... (microsoft.public.windowsxp.general) Re: Suggestions For The Passing of Passphrases ... communication which includes the login or password. ... or encrypt passwords, such as getting the guy a message that says Im ... sending you a passphrase but its ROT13'd ... (sci.crypt) Re: reading secured ntfs partition ... When you login, THAT is your password. ... owner or admin to request a change in permissions. ... If EFS (encrypted file system) was employed to encrypt the files, ... security product then it is up to you to remember the admin or master ... (alt.computer.security) Re: wanted opinions: Powercrypt 2000 (text encryption) ... friends outside of email. ... that up onto your clipboard. ... And use a shared pwd. ... then encrypt the file using strong cryptography, ... (sci.crypt)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Internet-Server  > microsoft.public.inetserver.asp.general  > 2004-07