tags:

views:

221

answers:

2
+4  Q: 

approaches to encrypt password in sql server 2005

Hai guys,

Thus far i am using the following statements for encrypting a password variable in sql server 2005

OPEN SYMMETRIC KEY SecureSymmetricKey1
DECRYPTION BY PASSWORD = N'StrongPassword';

 DECLARE @encrypted_str VARBINARY(MAX)
select @encrypted_str=EncryptByKey(Key_GUID('SecureSymmetricKey1'),@Password)

Is this a good practice or any other approach for doing this...

+2  A: 

If you mean your application user password it would be much easier (and probably good enough) to just hash and salt the user password.

There are a few reasons:

  • Hashing password is common practice/standard.
  • Password should not be recoverable from database (even with access to database it's hard to recover the password).
  • Database is not a calculator -- it's storing engine (advanced engine, but for storing data, not calculating them).

In SQL Server 2005 there is a function HashBytes is available. Don't forget to salt password before hash.

Exemplary code using HashBytes could look like this:

DECLARE 
    @password nvarchar(100),
    @salt AS nvarchar(100)

SET @salt = 'various random characters i.e. #_$a1b'
SET @password = 'my password'

SELECT HashBytes('SHA1', @salt + @password)

However, probably, it's much easier to make hash directly in application and only save hashed password to database.

Grzegorz Gierlik  2010-01-05 08:40:53
@gierlik any example of using hash in sql server 2005
Pandiya Chendur  2010-01-05 08:58:42
Don't use SHA1, it's a weak hash consider dead (http://valerieaurora.org/hash.html) use SHA-2 or up.
Noon Silk  2010-01-05 10:16:17
HashBytes() provides just MD2, MD4, MD5 and SHA-1. One more reason to generate hash inside application.
Grzegorz Gierlik  2010-01-05 11:10:23
+3  A: 

You may find this post on preferred-method-of-storing-passwords-in-database in Stackoverflow useful as well

kevchadders  2010-01-05 08:45:43

related questions

Backup SQL Schema Only?
Sql to query a dbs scheme
Timer-based event triggers
Sql query, count and group by
Paging SQL Server 2005 Results
SQL 2005 For XML Explicit - Need help formatting
How do I use T-SQL Group By
What all do I need to escape when sending a (My)SQL query?
Split String in SQL
Datatable vs Dataset
ASP.NET MVC "CRUD" Database Sample
Convert HashBytes to VarChar
Best Book for a new Database Developer
What is the best way to avoid SQL injection attacks?
What language do you use for Postgresql triggers and stored procedures?
What is the best way to handle multiple permission types?
How do I index a database field
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
Is there a version control system for database structure changes?
How to export data from SQL Server 2005 to MySQL
ASP.NET Site Maps
Decoding T-SQL CAST in C#/VB.net
Flat File Databases in PHP