pwd's in dbases

J

John

Hi all,



What is the best way to store a pwd into a dbase? I guess it is hashing it.
Read a lot regarding this issue to use md5 for it, but can i use AES for it
also? And what is that salt thing doing? And then, there is more, What is
the best way to request a login and pwd from a user (client level) without
using https or ntlm or something like that, just a clean html / asp thing.



John
 
C

Cowboy \(Gregory A. Beamer\) [MVP]

It depends on the implementation.

For ultimate security, encrypt with a one-way function. You then encrypt
prior to checking if the login is correct. In this system, a new PWD has to
be generated if the user loses it, as PWDs are not crackable (at least in
theory). I have seen systems that used a one-way hash, but these are not
really one way. PVCS used (may still use) a simple hex generator that threw
off the ASCII code according to a simple algorithm. Rather easy to crack for
anyone with a few minutes of time and an understanding of security. This is
not a good method for a really secure system, but most systems are not
otherwise set up to prevent internal hacking anyway. The hash will stop the
casual looker, while the encrypt will help even more.

NOTE: There are more prudent methods to secure databases, like eliminating
direct table access and forcing access via stored procedures.

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

************************************************
Think Outside the Box!
************************************************
 
J

Jeff Cochran

What is the best way to store a pwd into a dbase? I guess it is hashing it.
Read a lot regarding this issue to use md5 for it, but can i use AES for it
also? And what is that salt thing doing?
Click to expand...

All these are great, though some may be trivial to break. The real
security comes from not allowing access to the table the passwords are
stored in.
And then, there is more, What is
the best way to request a login and pwd from a user (client level) without
using https or ntlm or something like that, just a clean html / asp thing.
Click to expand...

Use a simple form if that's all you need. SSL would help, and an
ActiveX that encoded the password on the client may add security, but
just a basci login form is pretty simple.

Jeff
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

React+Formik+Yup - validate in order 1
How to use Densenet121 in monai 0
How to retrive payment result value after secure paytabs payment done in PayTabs payment gateway in asp.net 0
How do I Exchange MBOX Files in PST format? 9
A username in WordPress that I never created - CiviCRM Stack Exchange 0
Secure solution to backup IMAP to PST format in 2024 5
Set cookie in the browser following a Post request 1
Javascript programming in TheThingsNetwork 1

Members online

No members online now.
Total: 534 (members: 3, guests: 531)
Robots: 102

Forum statistics

Threads
474,194
Messages
2,571,028
Members
47,626
Latest member
StevieLaut

Latest Threads

Top