| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> RE: encrypt passwords and hold on Oracle tables
John,
Yes we also do that. We have our own encryption routine to save application user passwords in the database. To give you some idea, not the exact encryption ;) following is what we are doing.
1- Add a value (returned by an algorithm) to the ASCII of each character of
password, to make it a non-keyboard character. The ASCII for the first
non-keyboard character is 127. The ASCII for the first keyboard character is
32. The range of value to be added is therefore:
127 - 32 = 95 (lower limit) and
255 - 95 = 160 (upper limit).
2- Store the encrypted password in the table
3- When user enters his/her password, the same algorithm encrypts the
entered password and checks it against the stored one, instead of decrypting
the stored password. This methodology saved us from writing decryption
routine, if a user forgets password, we simply overwrite his old one using
administrative rights. In the absence of decryption routine, no one can
decrypt passwords. Further, the source code of encryption routine is
available to a couple of senior developers only. Others use compiled code.
I am not an efficient in coding in PL/SQL, but it will look something like this.
User_password := :Block.Password ;
Encrp_password := '';
Position := 1;
WHILE Position <= LENGTH( user_password )
Encrp_password := Encrp_password + Algorithm( MIDSTR( user_password, position, 1 ));
Position := position + 1;
LOOP;
HTH!
Aleem
-----Original Message-----
From: Jared Still [mailto:jkstill_at_bcbso.com] Sent: 21 August 2000 22:09 To: Multiple recipients of list ORACLE-L Subject: Re: encrypt passwords and hold on Oracle tables
On Tue, 15 Aug 2000, Ashish Shah wrote:
> you can try using package
> dbms_obfuscation_toolkit.desencrypt...
>
> This will encrypt and decrypt data for you...
>
> the only problem is if someone knows how to
> run this package to decrypt the data he can
> have access to passwords...
Knowing how to execute the package will not let you decrypt data unless you know what the key is.
Jared
>
> well you can have a look.
>
> Let me know if someone have any better way
> securing passwds after encrypting it.
>
> Thanks.
>
>
> --- John Dunn <john.dunn_at_sefas.co.uk> wrote:
> > Our development team want to control access to
> > application functionality via
> > 'logical' users. That is, a list of users and the
> > application functions they
> > can use will be maintained in a database table.
> > Actual connection to the
> > database would always be via one user(maybe the
> > schema owner, maybe some
> > other single specified user).
> >
> > Does anyone else have applications that work in this
> > way? What use do you
> > use to connect to the database?
> >
> > The 'logical' users would also have passwords that
> > would need to be held on
> > the database tables. Is there any (easy) way to
> > encrypt a character string
> > and store it on the database?
> >
> > The front end application is Visual Basic using
> > OO4O...but we use lots of
> > PL/SQL too.
> >
> > Database is Oracle 8.0.5
> >
> > John
> >
> >
> > --
> > Author: John Dunn
> > INET: john.dunn_at_sefas.co.uk
> >
> > Fat City Network Services -- (858) 538-5051 FAX:
> > (858) 538-5051
> > San Diego, California -- Public Internet
> > access / Mailing Lists
> >
Jared Still
Certified Oracle DBA and Part Time Perl Evangelist ;-)
Regence BlueCross BlueShield of Oregon
Received on Mon Aug 21 2000 - 23:14:09 CDT
 |
 |