I am maintaining a table called USER which stores userid and password. Now I want to encrypt the password and store it in the database, and the same encrypted password must be accessed and checked with the user entered password in VB.NET 2008. How can this be done?
As a rule of thumb, hashing application passwords is really the best way to go about it, for internal apps that may not need extreme levels of security. (This is the same method Oracle uses in 11g for protecting and validating database user passwords.) A properly salted SHA-1 hash provides really excellent resistance to cracking, without the need to manage encryption keys! All you would have to do is hash the password through one of DBMS_CRYPTO's hashing procedures and compare that to the original, hashed password value in you user table.
If you MUST use encryption, key management is critical -- it will make or break the security of the entire process. Please do not consider putting the key, or direct references in the PL/SQL procedures you used to call DBMS_CRYPTO – the Oracle wrap utility used to obscure your code is easily defeated by direct attack in 10g and below. 11g is actually much better in this regard, plus there are many free and commercial unwrapping utilities available. Proper key management is very complex and difficult to do properly. Often, a "weaker" but properly implemented obfuscation process will render a more secure system than a poorly implemented "strong" algorithm.
This was first published in August 2009