tags:

views:

888

answers:

5
+1  Q: 

MS SQL Server 2005 - case insensitive password problem

I am checking for username and password for login in a procedure in MS SQL SERVER 2005. Since SQL Server 2005 is case insensitive even if user gives a lowercase password instead of a upper case one, the system allows to login.

What should I do?? Is there any command in Sql Server 2005 which can check the same??

A: 

SQL Server 2005 is only by the default collation using case insensitive comparisons. You should not store passwords in plaintext. You should hash them with a reasonably secure hashing algorithm and store the hash. (perhaps you should really use a salt value as well but let's start with hashing).

BobbyShaftoe  2009-04-25 10:23:53
+2  A: 

Use a case sensitive collation - e.g.

...where Password = @password COLLATE SQL_Latin1_General_CP1_CS_AS

and yes, you shouldn't really store plain text passwords in the database!

Steve Willcock  2009-04-25 10:24:58
+1  A: 

NEVER NEVER NEVER store plain-text passwords! Store a hash of the password and compare that. You can use the HashBytes() function.

Joel Coehoorn  2009-04-25 10:25:10
A: 

Use a case sensitive collation for the compare, for example:

SELECT
  Id
FROM
  UserTable
WHERE
  UserName = @UserName
  AND Password = @Password COLLATE SQL_Latin1_General_Cp1_CS_AS

Use a collation that matches the character set of the password column.

One a different note - are you sure you want to store clear text passwords in the database? This is well in the Top 5 of the Don'ts when it comes to security decisions.

Tomalak  2009-04-25 10:25:50
can u elaborate on that?
Roshan  2009-04-25 10:45:53
A: 

There are situations where you may want to store clear text passwords so I won't repeat the advice everybody else has, although it's usually sound.

Besides setting the collation, you can also use the varbinary trick like so:

WHERE
  CAST(Password as varbinary(20)) = CAST(@Password as varbinary(20)) AND
  CAST(Username as varbinary(20)) = CAST(@Username as varbinary(20))

The above will also result in a case sensitive search - just remember to set the varbinary length to the same as the field lengths.

To avoid index scans, you can include the case insensitive search as well - that'll make an index seek and the perform the varbinary search afterwards:

WHERE
  Password = @Password AND
  Username = @Username AND
  CAST(Password as varbinary(20)) = CAST(@Password as varbinary(20)) AND
  CAST(Username as varbinary(20)) = CAST(@Username as varbinary(20))
Mark S. Rasmussen  2009-04-25 10:30:48
Can you give an example where it's valid to store a password as clear text? It would have to be in a system that I will never use, since there can be no valid example where I want you to know my password.
John Saunders  2009-04-25 11:41:45
Interoperability with legacy systems for example. All I'm saying is that there may be reasons for one to want to store cleartext instead of hashing it - and I really see no reason for 10 answers all stating the same advice without offering a direct solution for what the OP is asking.
Mark S. Rasmussen  2009-04-25 12:50:44

related questions

SQL Server, convert a named instance to default instance?
Natural (human alpha-numeric) sort in Microsoft SQL 2005
In MS SQL Server 2005, is there a way to export, the complete maintenance plan of a database as a SQL Script?
Does ReadUncommitted imply NoLock
Query to list all tables that contain a specific column with SQL Server 2005.
Can I maintain state between calls to a SQL Server UDF?
What are the benefits of using partitions with the Enterprise edition of SQL 2005
Upgrading Sharepoint 3.0 to SQL 2005 Backend?
What's the simplest way to execute a query in Visual C++
Can you perform an AND search of keywords using FREETEXT() on SQL Server 2005?
Create a database from another database?
What's the fastest way to bulk insert a lot of data in SQL Server (C# client)
SQL 2005 Book For Optimization Techniques
How do I create a mapping table in SQL Server Management Studio?
Cannot Add a Sql Server Login
SQL Server 2005 - Export table programatically (run a .sql file to rebuild it)
Diagnosing Deadlocks in SQL Server 2005
SQL2005: Linking a table to multiple tables and retaining Ref Integrity?
How to create a new instance of Sql Server 2005
SQL Server 2008 vs 2005 Linq integration
How do you kill all current connections to a SQL Server 2005 database?
Conditional Visibility and Page Breaks with SQL Server 2005 Reporting Services
SQL Server 2005 and 2008 on same developer machine?
Paging SQL Server 2005 Results
SQL 2005 For XML Explicit - Need help formatting