tags:

views:

473

answers:

2
+2  Q: 

creating password field in oracle

What is the use of "The Secure External Password Store"?

And can I create password field in my Oracle table using "The Secure External Password Store"? Or how can I create password field in my Oracle table without using "The Secure External Password Store"?

+2  A: 

One method without using "The Secure External Password Store" (whatever that may be) is to add a RAW(16) column to the table to store a hashed username and password:

alter table mytable add password raw(16);

Then store the hashed username and password in it like this:

insert into mytable (username, password, ...)
values (:username, dbms_obfuscation_toolkit.md5 
                      (input => utl_i18n.string_to_raw
                                  (upper(:username)||:password))
       );

Then when a user tries to log in with a username and password you can check them like this:

select 'OK'
from   mytable
where  username = :username
and    password = dbms_obfuscation_toolkit.md5 
                      (input => utl_i18n.string_to_raw
                                  (upper(:username)||:password));

This way nobody can find out what the stored password is (other than by brute force).

Tony Andrews  2010-01-29 12:01:17
+2  A: 

The secure external password store is not designed for regular user accounts. It is aimed at securely holding passords for accounts which need to connect to the database from autonomic processes (like, say, shell scripts ):

The secure external password store uses an Oracle Wallet to hold one or more user name/password combinations to run batch processes and other tasks that run without user interaction.

Find out more.

Why are you wanting to store user passwords in the database? If you want users to connect through individually identifiable accounts, use Oracle's USER functionality. If you are building a web site and your users will be connecting through a generic user then the authentication is best managed through something in the middle tier which authenticates against Active Directory (or whatever) through LDAP (or whatever).

But if you really want to roll your own authentication then using a one-way hash as Tony suggests is the way to go. However, if you are on a recent release of Oracle (and your interest in the secure external password store suggests you are on 10g at least) then you ought to use DBMS_CRYPTO.HASH() with the SHA-1 algorithm rather than the older MD5.

APC  2010-01-29 13:27:53
Good points - I must investigate DBMS_CRYPTO. The reason I am using passwords stored in the database is that I am working on a public-facing website where anyone can register themselves. Built using Apex, of course!
Tony Andrews  2010-01-29 14:46:43
@Tony Andrews - Of course it is Apex - is there any other tool?
APC  2010-01-29 15:45:21

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security