I'm currently using Oracle 10g. I use DBMS_CRYPTO package to encrypt the passwords of users for login. In order to encrypt or decrypt the data, I must have a key. So where should I put the key in order to hide it from other developers, or is there another way to encrypt data without being able to decrypt back?
In SQL Server, I just use PWDENCRYPT function to encrypt, and when I want to compare the data entered by the users correct or not, I use PWDCOMPARE. Pls advice. Thank you.
To hide the key from other developers, hopefully this article will be helpful, it includes a section on key management:
http://www.oracle.com/technology/oramag/oracle/05-jan/o15security.html
To encrypt data without being able to decrypt it back, you may wish to look into one way hashes. Oracle provides this in the form of DBMS_CRYPTO.HASH, which is simple to use (as discussed here):
SQL> select SYS.DBMS_CRYPTO.HASH('FFFFFF',1) from dual;
7D91F6D9BE28A9756B0D2F11D3AF4F0C
You then store only the hash in the database - you can verify the password if hashing the user input matches your stored hash, but you cannot retrieve the password in any way.