
	Home > Ask the Oracle Database / Applications Experts > Questions & Answers > Should passwords in table be encrypted?

Ask The Oracle Expert: Questions & Answers

EMAIL THIS

Should passwords in table be encrypted?

EXPERT RESPONSE FROM: Dan Norris

		Pose a Question

		Other Oracle Categories

		Meet all Oracle Experts
		Become an Expert for this site

Digg This!

StumbleUpon

Del.icio.us

QUESTION POSED ON: 04 October 2004
I have one table where username and password are stored. I wanted to know if the password entered in that table should be encrypted?

Don't encrypt passwords--hash them. You do not need to know what they are and if the user forgets their password, just reset it and send them a new one. This is essentially the same way that *nix hosts have stored passwords for many years.

Oracle has a builtin function for hashing a string at DBMS_UTILITY.GET_HASH_VALUE. However, in order to use that, you'd have to pass the cleartext password to the database server in order to make the function call. Unless you're using the Advanced Security Option (ASO), SQL*Net will transmit that data over the network in clear text. So, here are your best options:

Use a hash function in your application to do the hashing in the application before the data is sent to the database for insert, update, etc. This could be on the application server for a greater than 2-tier application, or in the application code for a 2-tier application.
Use the database function, but secure the SQL*Net traffic using SQL*Net encryption (part of the Advanced Security Option). The drawback to this approach is that you'd have to purchase ASO if you don't already have it and it is an add-on option.
Use the database function, but secure the SQL*Net traffic using a SSH tunnel. If your application is greater than 2-tier (i.e. there is one or a small number of application servers), then you could establish SSH tunnels from the application servers to the database server and run SQL*Net traffic through these tunnels. This takes some more setup and maintenance, but can be done without purchasing any additional software (there are totally free SSH implementations for all platforms).

Regardless of which option you use to get the data to and from the database, here's how you'd go about using this approach to set a password:

request the password from the user
hash the password
store the hashed password in the database table

For logins:

request the password from the user
hash the password
obtain the hashed password in the database table
compare the strings from #2 and #3. If they match, this is the correct password.

Tom Kyte answered some questions regarding this (in his usual, thorough way) at: http://asktom.oracle.com/pls/ask/f?p=4950:8:16985564963218549155.

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Oracle database security
	How to enable remote Oracle OS authentication with OS_AUTHENT_PREFIX
	Oracle delivers database fixes in Critical Patch Update
	How to use DBMS_CRYPTO package for Oracle password encryption/hashing
	How to decrypt an Oracle password using John the Ripper and checkpwd
	How to use the CREATE SESSION command to track Oracle database logins
	How to troubleshoot Oracle critical patch updates using OPatch
	Can I automate Oracle patching when installing Oracle Standard Edition?
	Is it possible to automate Oracle CPUs for a DoD project?
	Three steps to help improve Oracle database security
	Tips for auditing and securing database backups in Oracle

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

Oracle White Papers: Fusion Middleware

SEARCH

TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.


TechTarget Corporate Web Site \| Media Kits \| Site Map All Rights Reserved, Copyright 2003 - 2009, TechTarget \| Read our Privacy Policy