Re: Encryption

There have been lots of good technical suggestions here. I have little technical to add, aside from perhaps one word: "RC5". The database encryption/obfuscation packages provide a function to compute RC5-hashes. Give it some consideration. Oh, yes, and use a large random "salt". If you don't alreday know what password "salting" is, I suspect a google search (or a review of the UNIX manpages) will find you all the information you need. (And DON'T use the "username" as the salt, like one popular software package we all know...)

Perhaps more valuable advice is this: DO NOT USE SSN AS A DEFAULT PASSWORD!

I do not have detailed knowledge of U.S. legislation regarding SSNs, however, if it is anything like the Canadian counterpart then it is probably unlawful to use SSNs for ANYTHING other than reporting tax/employment information to the government.

I know that you probably have concerns about secure means of transmitting initial passwords to users (which are next to non-existant), but as a user of your system I would be much more comfortable with a randomly-generated initial password delivered by public e-mail than with the knowledge that your application code (and application developers) have access to my SSN. Of course, this does depend (a lot) on what that password can be used to access...

Anyway, that's just my two-cent's worth. Happy password hashing.

Cheers,
-- Mark Brinsmead

Justin Cave (DDBC) wrote:

> Oracle has DBMS_OBFUSCATION_TOOLKIT (pre-10g) and DBMS_CRYPTO (post
> 10g) packages that allow you to both encrypt data and to hash it. For
> password storage, you almost certainly want to hash the password
> (which is unrecoverable) rather than encrypting it (which is
> recoverable). Oracle, Unix, and just about every other platform will
> hash passwords
>
>
>
> Tom Kyte has an excellent discussion on this topic here-
>
>
>
> http://asktom.oracle.com/pls/ask/f?p=4950:8:::::F4950_P8_DISPLAYID:95412348059
>
>
>
> Justin
>
>
>
> ------------------------------------------------------------------------
>
> *From:* oracle-l-bounce_at_freelists.org
> [mailto:oracle-l-bounce_at_freelists.org] *On Behalf Of *Burton, Laura
> *Sent:* Tuesday, November 15, 2005 5:03 PM
> *To:* oracle-l_at_freelists.org
> *Subject:* Encryption
>
>
>
> Scenario:
>
>
>
> We have a new user which will be created an account in an application
> (not a database user) by inserting into a table. When this occurs a
> trigger is fired to insert the user into other tables. A field in one
> of the tables is an encrypted password. We want the initial password
> to be the person's ssn, which was input into the table which fired the
> trigger. Does oracle have an encryption process that can be executed
> to encrypt the ssn, in this example, before inserting into another
> table? We have looked on OTN but could not find anything. I know the
> easy thing to do would be to use a generic password so that we could
> just move the encrypted password in every time, but our user wants ssn
> so that it will be unique to that user until they are prompted to
> change their password on the initial log in to the application.
> Again, this is not a database user.
>
>
>
> Thanks for the feedback.
>
>
>
> Laura
>

--
http://www.freelists.org/webpage/oracle-l