While developing web pages, we need to avoid storing user passwords either in plaintext or encrypted format. Instead, store password hashes with salt. Ensure only required accounts have the access to user store database. Store your credential database on a physically separate server from your Web server.
Solution:
Passwords should not be stored encrypted, but rather they should be stored HASHED or DIGESTED. To validate a username/password add some magic "salt" and hash it. This results in a fixed length string of some bytes of data. We compare that to the stored hash and if they match – user is validated.
For examples:
Using C#/VB.NET:
http://www.obviex.com/samples/hash.aspx
Using ORACLE:
declare
function digest( p_username in varchar2, p_password in varchar2 ) return varchar2
is
begin
return ltrim( to_char( dbms_utility.get_hash_value(
upper(p_username)||'/'||upper(p_password), 1000000000, power(2,30) ),rpad( 'X',29,'X')||'X' ) );
end digest;
begin
for x in ( select username from all_users where rownum < 20 )
loop
dbms_output.put_line( 'User: ' || rpad( x.username , 30 ) ||
' digest: ' || digest( x.username, 'TIGER' ) );
end loop;
end;
/
Results:
User: SYS digest: 6869FA1A
User: SYSTEM digest: 79F08AFC
User: SCOTT digest: 4307767C
