storing passwords !
-
Microsoft SQL server version 7.0 --------------------------------- I have to find out a way..where in the login id and passwords can be stored in more secured way.. I browsed the netb and found out the following information..does this apply to sql server 7.0 ? " Passwords are stored in the sysxlogins table in encrypted form.SQL Server uses an undocumented function, pwdencrypt() to produce a hash of the user's password, which is stored in the sysxlogins table of the master database. When a user attempts to authenticate to SQL Server several things happen to do this. Firstly SQL Server examines the password entry for this user in the database and extracts the "salt" - 84449305 - in the example. This is then appended to the password the user supplies when attempting to log in and a SHA hash is produced. This hash is compared with the hash in the database and if they match the user is authenticated - and of course if the compare fails then the login attempt fails. The user's password is converted to it's UNICODE version if not already in this form.The salt is then appended to the end. This is then passed to the crypt functions in advapi32.dll to produce a hash using the secure hashing algorithm or SHA. The password is then converted to its upper case form, the salt tacked onto the end and another SHA hash is produced." This methodos storing is adopted by SQL server.. in this method...hacking the passwords sounds so easy! so.. Can someone suggest a better way for storing the passwords and the login information.. storing it in teh registry is also not safe .,I guess! thank u.. ranjani
-
Microsoft SQL server version 7.0 --------------------------------- I have to find out a way..where in the login id and passwords can be stored in more secured way.. I browsed the netb and found out the following information..does this apply to sql server 7.0 ? " Passwords are stored in the sysxlogins table in encrypted form.SQL Server uses an undocumented function, pwdencrypt() to produce a hash of the user's password, which is stored in the sysxlogins table of the master database. When a user attempts to authenticate to SQL Server several things happen to do this. Firstly SQL Server examines the password entry for this user in the database and extracts the "salt" - 84449305 - in the example. This is then appended to the password the user supplies when attempting to log in and a SHA hash is produced. This hash is compared with the hash in the database and if they match the user is authenticated - and of course if the compare fails then the login attempt fails. The user's password is converted to it's UNICODE version if not already in this form.The salt is then appended to the end. This is then passed to the crypt functions in advapi32.dll to produce a hash using the secure hashing algorithm or SHA. The password is then converted to its upper case form, the salt tacked onto the end and another SHA hash is produced." This methodos storing is adopted by SQL server.. in this method...hacking the passwords sounds so easy! so.. Can someone suggest a better way for storing the passwords and the login information.. storing it in teh registry is also not safe .,I guess! thank u.. ranjani
Hi Ranjani: The following article on PlanetCode seems to be in line with your doubt. Check it out: http://www.planet-source-code.com/URLSEO/vb/scripts/ShowCode!asp/txtCodeId!735/lngWid!5/anyname.htm Deepak Kumar Vasudevan Personal Web: http://www24.brinkster.com/lavanyadeepak/default.asp I Blog At: http://deepak.blogdrive.com/
-
Hi Ranjani: The following article on PlanetCode seems to be in line with your doubt. Check it out: http://www.planet-source-code.com/URLSEO/vb/scripts/ShowCode!asp/txtCodeId!735/lngWid!5/anyname.htm Deepak Kumar Vasudevan Personal Web: http://www24.brinkster.com/lavanyadeepak/default.asp I Blog At: http://deepak.blogdrive.com/