Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: Using MS Sql Server to store Passwords

  1. #1
    Join Date
    Dec 2004
    Posts
    159
    Rep Power
    0

    Question Using MS Sql Server to store Passwords

    I am developing a software and I am using MS Sql Server 2000 to store user account information for each person who uses the system. I want to know what is the best way to store the user's password in the database and how can i do this.
    Presently I am storing the password as string and I did this just for testing purposes but i want to make sure the user password is secure.
    Another thing, when displaying the users information in a dataGrid, how can I hide/scramble the password so that it is not readily visible cause when the administrator is accessing the user account I dont want them to see the user's password even thou they can change /delete it but i dont want them to see it.
    help me if you have done this before or if you can assist that will be well appreciated.
    live good today cause u will never know wat will happen 2marrow and it was never promised to no man either

  2. #2
    Join Date
    Oct 2004
    Posts
    4,814
    Rep Power
    24

    Default

    Use a one way has function to encrypt the password..

    The password cannot be decrypted and the original password is un-redable by anyone viewing the database. To check that a user had entered the correct password you will need to apply the hash function to it and then check the database to see if the generated result matched.

    for example applying a SHA1 hash to a string like "password"

    sha1.hash("password") = "%fhtypery&"

    Which languge are you coding the software in? I may be able to give better advice. Opps nvm, I just say the catergory.
    is it VB or VB.NET, im not really a sucker for the two but i'll still help.

  3. #3
    Join Date
    Dec 2004
    Posts
    159
    Rep Power
    0

    Post

    I am using VB .NET and I was trying to use a hash function which i found in a VB .NET help file but it gave me a input parameter error, stating that it is incorrect format.
    For the password field and variable, I am using byte() in VB .NET and varbinary in the SQL server database. what type should i use in the database for it to accept it?

    Hash function code I used:

    Code:
    Public Function CreateDBPassword(ByVal password As String) As Byte()
            ' Create the unsalted password hash.
            Dim UnsaltedPassword() As Byte = CreatePasswordHash(password)
    
            ' Generate a random salt value.
            Dim SaltValue(SaltLength - 1) As Byte
            Dim Rng As New RNGCryptoServiceProvider
            Rng.GetBytes(SaltValue)
    
            ' Create the salted hash.
            Return CreateSaltedPassword(SaltValue, UnsaltedPassword)
        End Function
    
        ' This function returns a password hash
        ' that hasn't been salted.
        Private Function CreatePasswordHash(ByVal password As String) As Byte()
            Dim Sha1 As New SHA1Managed
            Return Sha1.ComputeHash(System.Text.Encoding.UTF8.GetBytes(password))
        End Function
    
        ' This function accepts the password hash, and
        ' salts it with the given salt value.
        Private Function CreateSaltedPassword(ByVal saltValue As Byte(), _
          ByVal unsaltedPassword() As Byte) As Byte()
            ' Add the salt to the hash.
            Dim RawSalted(unsaltedPassword.Length + saltValue.Length - 1) As Byte
            unsaltedPassword.CopyTo(RawSalted, 0)
            saltValue.CopyTo(RawSalted, unsaltedPassword.Length)
    
            ' Create the salted hash.
            Dim Sha1 As New SHA1Managed
            Dim SaltedPassword() As Byte = Sha1.ComputeHash(RawSalted)
    
            ' Add the salt value to the salted hash.
            Dim DbPassword(SaltedPassword.Length + saltValue.Length - 1) As Byte
            SaltedPassword.CopyTo(DbPassword, 0)
            saltValue.CopyTo(DbPassword, SaltedPassword.Length)
    
            Return DbPassword
        End Function
    Last edited by Arch_Angel; Mar 7, 2006 at 07:02 PM. Reason: added CODE tags
    live good today cause u will never know wat will happen 2marrow and it was never promised to no man either

  4. #4
    Join Date
    Oct 2004
    Posts
    4,814
    Rep Power
    24

    Default

    Convert the byte to a string and used nvarchar in the database to store them.

  5. #5
    Join Date
    Aug 2002
    Posts
    3,959
    Rep Power
    25

    Default

    Hmmmm...

    I am not a programmer so it is likely that I am way off base.

    I work with a few applications that use SQL server as the database. They use SQL server's security to manage users and passwords.

    In other words, the users are created as SQL server logins and each user is given rights to a specific SQL Server database.

    I am not aware of any application that puts the usernames and passwords in a user defined table.

    Why would this approach not work here?

    Can your application send SQL Server the correct transact-SQL statements to create the user?

  6. #6
    Join Date
    Oct 2004
    Posts
    4,814
    Rep Power
    24

    Default

    Well from the first post, it seems as if hes coding a software that needs some form of authetication from its users. Hes using the database to store the credentials of each user of the software but he doesn't want the password to be stored in plain text. its like jabber server storing its users credentials in a mysql server for example.

  7. #7
    Join Date
    Aug 2002
    Posts
    3,959
    Rep Power
    25

    Default

    Are the SQL Server logins stored in plain text? If so, how does the typical application secure them as they travel across the network?

  8. #8
    Join Date
    Oct 2004
    Posts
    4,814
    Rep Power
    24

    Default

    Quote Originally Posted by jamrock
    Are the SQL Server logins stored in plain text?
    No, its very well encrypted by the datbase server.

    If so, how does the typical application secure them as they travel across the network?
    The typical application use database drivers that communicates with the database server on its behalf. Drivers encrypts the data passed between itself and the datbase server.

  9. #9
    Join Date
    Dec 2004
    Posts
    159
    Rep Power
    0

    Default

    I dont want to use the Sql server login because:
    1. I want to be able to store other information about the user. like name and user previliges in my software
    2. I am not sure if you can get a list of the database users being visible in my application unless you know a way of doing that...

    the code that i listed is what i am testing out on my password and I notice that with it I can only use the code to added and then any other operations i can do is compare using that code.

    does anyone have a better code that i could try to make it easier for me?
    live good today cause u will never know wat will happen 2marrow and it was never promised to no man either

  10. #10
    Join Date
    Aug 2002
    Posts
    3,959
    Rep Power
    25

    Default

    1. I want to be able to store other information about the user. like name and user previliges in my software
    2. I am not sure if you can get a list of the database users being visible in my application unless you know a way of doing that...
    I understand.

    I have seen both of these things done. However, I do not know how to do them.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •