Home > Ask the Oracle Database / Applications Experts > Questions & Answers > Should passwords in table be encrypted?
Ask The Oracle Expert: Questions & Answers
EMAIL THIS

Should passwords in table be encrypted?

Dan Norris EXPERT RESPONSE FROM: Dan Norris

Pose a Question
Other Oracle Categories
Meet all Oracle Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 04 October 2004
I have one table where username and password are stored. I wanted to know if the password entered in that table should be encrypted?

>

Don't encrypt passwords--hash them. You do not need to know what they are and if the user forgets their password, just reset it and send them a new one. This is essentially the same way that *nix hosts have stored passwords for many years.

Oracle has a builtin function for hashing a string at DBMS_UTILITY.GET_HASH_VALUE. However, in order to use that, you'd have to pass the cleartext password to the database server in order to make the function call. Unless you're using the Advanced Security Option (ASO), SQL*Net will transmit that data over the network in clear text. So, here are your best options:

  1. Use a hash function in your application to do the hashing in the application before the data is sent to the database for insert, update, etc. This could be on the application server for a greater than 2-tier application, or in the application code for a 2-tier application.
  2. Use the database function, but secure the SQL*Net traffic using SQL*Net encryption (part of the Advanced Security Option). The drawback to this approach is that you'd have to purchase ASO if you don't already have it and it is an add-on option.
  3. Use the database function, but secure the SQL*Net traffic using a SSH tunnel. If your application is greater than 2-tier (i.e. there is one or a small number of application servers), then you could establish SSH tunnels from the application servers to the database server and run SQL*Net traffic through these tunnels. This takes some more setup and maintenance, but can be done without purchasing any additional software (there are totally free SSH implementations for all platforms).

Regardless of which option you use to get the data to and from the database, here's how you'd go about using this approach to set a password:

  1. request the password from the user
  2. hash the password
  3. store the hashed password in the database table

For logins:

  1. request the password from the user
  2. hash the password
  3. obtain the hashed password in the database table
  4. compare the strings from #2 and #3. If they match, this is the correct password.

Tom Kyte answered some questions regarding this (in his usual, thorough way) at: http://asktom.oracle.com/pls/ask/f?p=4950:8:16985564963218549155.


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



RELATED CONTENT
Oracle database security
How to enable remote Oracle OS authentication with OS_AUTHENT_PREFIX
Oracle delivers database fixes in Critical Patch Update
How to use DBMS_CRYPTO package for Oracle password encryption/hashing
How to decrypt an Oracle password using John the Ripper and checkpwd
How to use the CREATE SESSION command to track Oracle database logins
How to troubleshoot Oracle critical patch updates using OPatch
Can I automate Oracle patching when installing Oracle Standard Edition?
Is it possible to automate Oracle CPUs for a DoD project?
Three steps to help improve Oracle database security
Tips for auditing and securing database backups in Oracle

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary



Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
Browse our Expert Advice



Oracle White Papers: Fusion Middleware
HomeNewsTopicsTipsAsk the ExpertsMultimediaWhite PapersProductsBlogs
About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy
  TechTarget - The IT Media ROI Experts