Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Mailing Lists -> Oracle-L -> RE: encrypt passwords and hold on Oracle tables
Keep in mind that this method is insecure if you expect
anyone to actually try to crack the encrypted password.
Anyone fairly good with cryptography ( not me )would have your passwords cracked in a short time.
Jared
On Mon, 21 Aug 2000, Abdul Aleem wrote:
> John,
>
> Yes we also do that. We have our own encryption routine to save application
> user passwords in the database. To give you some idea, not the exact
> encryption ;) following is what we are doing.
>
> 1- Add a value (returned by an algorithm) to the ASCII of each character of
> password, to make it a non-keyboard character. The ASCII for the first
> non-keyboard character is 127. The ASCII for the first keyboard character is
> 32. The range of value to be added is therefore:
> 127 - 32 = 95 (lower limit) and
> 255 - 95 = 160 (upper limit).
> 2- Store the encrypted password in the table
> 3- When user enters his/her password, the same algorithm encrypts the
> entered password and checks it against the stored one, instead of decrypting
> the stored password. This methodology saved us from writing decryption
> routine, if a user forgets password, we simply overwrite his old one using
> administrative rights. In the absence of decryption routine, no one can
> decrypt passwords. Further, the source code of encryption routine is
> available to a couple of senior developers only. Others use compiled code.
>
> I am not an efficient in coding in PL/SQL, but it will look something like
> this.
>
> User_password := :Block.Password ;
> Encrp_password := '';
> Position := 1;
> WHILE Position <= LENGTH( user_password )
> Encrp_password := Encrp_password + Algorithm( MIDSTR( user_password,
> position, 1 ));
> Position := position + 1;
> LOOP;
>
> HTH!
> Aleem
> -----Original Message-----
> Sent: 21 August 2000 22:09
> To: Multiple recipients of list ORACLE-L
> Subject: Re: encrypt passwords and hold on Oracle tables
>
> On Tue, 15 Aug 2000, Ashish Shah wrote:
>
> > you can try using package
> > dbms_obfuscation_toolkit.desencrypt...
> >
> > This will encrypt and decrypt data for you...
> >
> > the only problem is if someone knows how to
> > run this package to decrypt the data he can
> > have access to passwords...
>
>
> Knowing how to execute the package will not let
> you decrypt data unless you know what the key is.
>
>
> Jared
>
> >
> > well you can have a look.
> >
> > Let me know if someone have any better way
> > securing passwds after encrypting it.
> >
> > Thanks.
> >
> >
> > --- John Dunn <john.dunn_at_sefas.co.uk> wrote:
> > > Our development team want to control access to
> > > application functionality via
> > > 'logical' users. That is, a list of users and the
> > > application functions they
> > > can use will be maintained in a database table.
> > > Actual connection to the
> > > database would always be via one user(maybe the
> > > schema owner, maybe some
> > > other single specified user).
> > >
> > > Does anyone else have applications that work in this
> > > way? What use do you
> > > use to connect to the database?
> > >
> > > The 'logical' users would also have passwords that
> > > would need to be held on
> > > the database tables. Is there any (easy) way to
> > > encrypt a character string
> > > and store it on the database?
> > >
> > > The front end application is Visual Basic using
> > > OO4O...but we use lots of
> > > PL/SQL too.
> > >
> > > Database is Oracle 8.0.5
> > >
> > > John
> > >
> > >
> > > --
> > > Author: John Dunn
> > > INET: john.dunn_at_sefas.co.uk
> > >
> > > Fat City Network Services -- (858) 538-5051 FAX:
> > > (858) 538-5051
> > > San Diego, California -- Public Internet
> > > access / Mailing Lists
> > >
>
> Jared Still
> Certified Oracle DBA and Part Time Perl Evangelist ;-)
> Regence BlueCross BlueShield of Oregon
> jkstill_at_bcbso.com - Work - preferred address
> jkstill_at_teleport.com - private
>
>
> --
>
> --
> Author: Abdul Aleem
> INET: abchaudhary-ho_at_beaconhouse.edu.pk
>
> Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
> San Diego, California -- Public Internet access / Mailing Lists
> --------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from). You may
> also send the HELP command for other information (like subscribing).
>
Jared Still
Certified Oracle DBA and Part Time Perl Evangelist ;-)
Received on Tue Aug 22 2000 - 09:32:27 CDT