INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Jobs

storing encrypted password in a field

storing encrypted password in a field

(OP)
Hi,

I have Login table with Login ID & Password field. I want to store encrypted password in the "password" field (similar to MD5 in SQL).
What would be the field type of password?


Thanks,
RAJ

RE: storing encrypted password in a field

passwords should NEVER be stored, even if encrypted. Calculate a hash using a strong algorithm (see dbms_crypt) to verify an entered password you would put the entered password through the same hash and compare the two fields. if they match then they get in. This is exactly what oracle does in it's database. If you have an encrypted password then the encryption can be hacked.

Bill
Lead Application Developer
New York State, USA

RE: storing encrypted password in a field

(OP)
thanks Bill.

Sorry for not putting the details.
Out PHP developers are working on a website which will have a Login Id & password and this is fetched from the oracle table.
So when the user login in 1st time with his/her Id & password the same is checked with the oracle table and if matches will allows to view the website; user is asked to change his password. So while the users changes his password, this changed password to be stored in encrypted format in the table.
one option is to pass the encrypted password (thru PHP code) to be stored in oracle table - how can I store the password in encrypted format in oracle ; what will be the field type & length? - something similar to "MD5"

TIA,
Raj

RE: storing encrypted password in a field

MD5 is a hashing algorithm, not an encryption algorithm. I would use the hash algorithm HMAC_SH512. It is not only the most complex hashing available on oracle but it also requires a secret key. See the following procedure DBMS_CRYPTO.HASH

The one way hashing is an open standard and can be generated by pretty much any application. The application and the database would have to know the secret key (store in oracle wallet) but because it's a one way hash it can't be hacked to return the original password.

You would never pass any password outside the database. The application would generate the hash after the user enters it in and then request the hashed password from the database and compare the two. this method is also secure from packet snooping

Bill
Lead Application Developer
New York State, USA

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close