How could i create a trigger that at any insertion on my table [users] will change automatically the content of its [password] field to its MD5 hash?
Ps: I do not want this being done at client side.
How could i create a trigger that at any insertion on my table [users] will change automatically the content of its [password] field to its MD5 hash?
Ps: I do not want this being done at client side.
I may be reading too much into your question, but I think you WANT to do something client-side. Here's why:
The only place a password should be in clear-text is when the user types it. Encrypt it, send it over the wire, store it encrypted, & compare it encrypted. At no point in this chain is the password sniffable.
If you were to encrypt the password when it was written, how would you ever check it when they try to log in later?
SQL 2005 has HASHBYTES which will do what you want: http://msdn.microsoft.com/en-us/library/ms174415.aspx
Just fire a trigger on UPDATE and INSERT using that function around your password and you have avoided storing plain text passwords. Better: write a stored procedure that does the hash and is used to update passwords. (This avoids the overhead of a trigger, which I avoid like the plague unless nothing else will do.)
Here is an example I just hacked up:
create table TestTrigger2 (
TestTriggerID int not null identity(1,1),
Hashed binary(50),
PasswordProxy nvarchar(50)
)
--select HashBytes('MD5', N'This string')
create trigger HashPass2 on TestTrigger2
instead of insert
as
begin
insert into TestTrigger2 (Hashed)
select HashBytes('MD5', '@!98ABc'+PasswordProxy) from inserted
end
insert into TestTrigger2
(PasswordProxy)
values
('My password' )
select *
from TestTrigger2
When you look at the result of the final query, you will note that PasswordProxy is NULL (it is just there to make a string usable for input) and the Hashed with have the hashed value. The garbage prepended to the PasswordProxy is a salt to avoid the rainbow attack mentioned (it will make your password hashes different from just hashing the base string). Pick something longer and of your own creation.
You can use the HashBytes method. Not sure if this is available in sql server versions before 2008. select HashBytes('MD5', 'THIS IS MY PASSWORD')
You can use an INSTEAD OF INSERT
trigger for this. It replaces the default INSERT
with something you define, for example, an MD5 hash of one of the inserted columns.