Home > Ask the Oracle Experts > (Archive) Database Security Questions & Answers > Should passwords in table be encrypted?
Ask The Oracle Expert: Questions & Answers
EMAIL THIS

Should passwords in table be encrypted?

Dan Norris EXPERT RESPONSE FROM: Dan Norris

Pose a Question
Other Oracle Categories
Meet all Oracle Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 04 October 2004
I have one table where username and password are stored. I wanted to know if the password entered in that table should be encrypted?

>
EXPERT RESPONSE

Don't encrypt passwords--hash them. You do not need to know what they are and if the user forgets their password, just reset it and send them a new one. This is essentially the same way that *nix hosts have stored passwords for many years.

Oracle has a builtin function for hashing a string at DBMS_UTILITY.GET_HASH_VALUE. However, in order to use that, you'd have to pass the cleartext password to the database server in order to make the function call. Unless you're using the Advanced Security Option (ASO), SQL*Net will transmit that data over the network in clear text. So, here are your best options:

  1. Use a hash function in your application to do the hashing in the application before the data is sent to the database for insert, update, etc. This could be on the application server for a greater than 2-tier application, or in the application code for a 2-tier application.
  2. Use the database function, but secure the SQL*Net traffic using SQL*Net encryption (part of the Advanced Security Option). The drawback to this approach is that you'd have to purchase ASO if you don't already have it and it is an add-on option.
  3. Use the database function, but secure the SQL*Net traffic using a SSH tunnel. If your application is greater than 2-tier (i.e. there is one or a small number of application servers), then you could establish SSH tunnels from the application servers to the database server and run SQL*Net traffic through these tunnels. This takes some more setup and maintenance, but can be done without purchasing any additional software (there are totally free SSH implementations for all platforms).

Regardless of which option you use to get the data to and from the database, here's how you'd go about using this approach to set a password:

  1. request the password from the user
  2. hash the password
  3. store the hashed password in the database table

For logins:

  1. request the password from the user
  2. hash the password
  3. obtain the hashed password in the database table
  4. compare the strings from #2 and #3. If they match, this is the correct password.

Tom Kyte answered some questions regarding this (in his usual, thorough way) at: http://asktom.oracle.com/pls/ask/f?p=4950:8:16985564963218549155.

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


RELATED CONTENT
(Archive) Database Security
Identifying the user who submits a query
Is it possible to granting privileges on a schema level?
Acquiring knowledge of Oracle database users and their IDs
Manage users using Oracle Internet Directory
Is there a "backdoor" to retrieve passwords?
Setting up password values
Does Oracle password support special characters?
SQL statement issued by the client system
Oracle forms only accessing the database
Preventing connections to the database

Oracle database security
Oracle Security: Top five headlines
Oracle Identity Manager adds provisioning, compliance features
Firm dumps MySQL on Red Hat for Oracle Database on Oracle Linux
Oracle password best practices
Five ways to prepare for a SOX audit
When were the SYS/SYSTEM passwords last changed?
How to create a password file in Oracle 9i?
Bharosa to give Oracle users transaction security
Database security when users can connect without password
Running a script without user's password to Oracle database

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary



Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
Browse our Expert Advice

HomeNewsTopicsTipsAsk the ExpertsMultimediaWhite PapersProductsBlogs
About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts