How do we protect passwords in web pages

Fri, 29 Jun 2007 21:18:37 GMT

While developing web pages, we need to avoid storing user passwords either in plaintext or encrypted format. Instead, store password hashes with salt. Ensure only required accounts have the access to user store database. Store your credential database on a physically separate server from your Web server.

Solution:

Passwords should not be stored encrypted, but rather they should be stored HASHED or DIGESTED. To validate a username/password add some magic "salt" and hash it. This results in a fixed length string of some bytes of data. We compare that to the stored hash and if they match – user is validated.

For examples:

Using C#/VB.NET:

http://www.obviex.com/samples/hash.aspx

Using ORACLE:

declare

function digest( p_username in varchar2, p_password in varchar2 ) return varchar2

begin

return ltrim( to_char( dbms_utility.get_hash_value(

upper(p_username)||'/'||upper(p_password), 1000000000, power(2,30) ),rpad( 'X',29,'X')||'X' ) );

end digest;

begin

for x in ( select username from all_users where rownum < 20 )

loop

dbms_output.put_line( 'User: ' || rpad( x.username , 30 ) ||

' digest: ' || digest( x.username, 'TIGER' ) );

end loop;

end;

Results:

User: SYS digest: 6869FA1A

User: SYSTEM digest: 79F08AFC

User: SCOTT digest: 4307767C

blogs.matrixwebs.com

How do we protect passwords in web pages