Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: encrypt passwords and hold on Oracle tables

RE: encrypt passwords and hold on Oracle tables

From: Jared Still <jkstill_at_bcbso.com>
Date: Tue, 22 Aug 2000 07:32:27 -0700 (PDT)
Message-Id: <10597.115219@fatcity.com>


Keep in mind that this method is insecure if you expect anyone to actually try to crack the encrypted password.

Anyone fairly good with cryptography ( not me )would have your passwords cracked in a short time.

Jared

On Mon, 21 Aug 2000, Abdul Aleem wrote:

> John,
>
> Yes we also do that. We have our own encryption routine to save application
> user passwords in the database. To give you some idea, not the exact
> encryption ;) following is what we are doing.
>
> 1- Add a value (returned by an algorithm) to the ASCII of each character of
> password, to make it a non-keyboard character. The ASCII for the first
> non-keyboard character is 127. The ASCII for the first keyboard character is
> 32. The range of value to be added is therefore:
> 127 - 32 = 95 (lower limit) and
> 255 - 95 = 160 (upper limit).
> 2- Store the encrypted password in the table
> 3- When user enters his/her password, the same algorithm encrypts the
> entered password and checks it against the stored one, instead of decrypting
> the stored password. This methodology saved us from writing decryption
> routine, if a user forgets password, we simply overwrite his old one using
> administrative rights. In the absence of decryption routine, no one can
> decrypt passwords. Further, the source code of encryption routine is
> available to a couple of senior developers only. Others use compiled code.
>
> I am not an efficient in coding in PL/SQL, but it will look something like
> this.
>
> User_password := :Block.Password ;
> Encrp_password := '';
> Position := 1;
> WHILE Position <= LENGTH( user_password )
> Encrp_password := Encrp_password + Algorithm( MIDSTR( user_password,
> position, 1 ));
> Position := position + 1;
> LOOP;
>
> HTH!
> Aleem
> -----Original Message-----
> Sent: 21 August 2000 22:09
> To: Multiple recipients of list ORACLE-L
> Subject: Re: encrypt passwords and hold on Oracle tables
>
> On Tue, 15 Aug 2000, Ashish Shah wrote:
>
> > you can try using package
> > dbms_obfuscation_toolkit.desencrypt...
> >
> > This will encrypt and decrypt data for you...
> >
> > the only problem is if someone knows how to
> > run this package to decrypt the data he can
> > have access to passwords...
>
>
> Knowing how to execute the package will not let
> you decrypt data unless you know what the key is.
>
>
> Jared
>
> >
> > well you can have a look.
> >
> > Let me know if someone have any better way
> > securing passwds after encrypting it.
> >
> > Thanks.
> >
> >
> > --- John Dunn <john.dunn_at_sefas.co.uk> wrote:
> > > Our development team want to control access to
> > > application functionality via
> > > 'logical' users. That is, a list of users and the
> > > application functions they
> > > can use will be maintained in a database table.
> > > Actual connection to the
> > > database would always be via one user(maybe the
> > > schema owner, maybe some
> > > other single specified user).
> > >
> > > Does anyone else have applications that work in this
> > > way? What use do you
> > > use to connect to the database?
> > >
> > > The 'logical' users would also have passwords that
> > > would need to be held on
> > > the database tables. Is there any (easy) way to
> > > encrypt a character string
> > > and store it on the database?
> > >
> > > The front end application is Visual Basic using
> > > OO4O...but we use lots of
> > > PL/SQL too.
> > >
> > > Database is Oracle 8.0.5
> > >
> > > John
> > >
> > >
> > > --
> > > Author: John Dunn
> > > INET: john.dunn_at_sefas.co.uk
> > >
> > > Fat City Network Services -- (858) 538-5051 FAX:
> > > (858) 538-5051
> > > San Diego, California -- Public Internet
> > > access / Mailing Lists
> > >
>
> Jared Still
> Certified Oracle DBA and Part Time Perl Evangelist ;-)
> Regence BlueCross BlueShield of Oregon
> jkstill_at_bcbso.com - Work - preferred address
> jkstill_at_teleport.com - private
>
>
> --
>
> --
> Author: Abdul Aleem
> INET: abchaudhary-ho_at_beaconhouse.edu.pk
>
> Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
> San Diego, California -- Public Internet access / Mailing Lists
> --------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from). You may
> also send the HELP command for other information (like subscribing).
>

Jared Still
Certified Oracle DBA and Part Time Perl Evangelist ;-) Received on Tue Aug 22 2000 - 09:32:27 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US