January 9, 2009 at 6:53 pm
I developing a ASP.net application, I assume the stored proc that uses the passphrase function can been seen, or hacked ?
What say yee, is it secure for basic passwords use over the web ?
January 9, 2009 at 8:30 pm
The best way to do this is not to store the password/passphrase at all. Rather, store a hash of the password/passphrase. You can get that by using a cryptographic hash function like SHA-1. For instance, this is the way Active Directory works. You can authenticate the user by generating a hash of the password entered and comparing with the hash is stored. If there is match, the user is authenticated. Otherwise, you reject the attempt.
K. Brian Kelley
@kbriankelley
January 9, 2009 at 11:23 pm
So if my passPhrase is "The moon is round"..
I should not put this in my codebehind in a string variable, that I should encrypt up with "System.Security.Cryptography"
code like : http://www.obviex.com/samples/hash.aspx
So if codebehind is hacked they cant get my password....
SO are you saying the code in asp.net codebehind and TSQL 2005 stored proceedures can be hacked ...?????
That's not so good news...
January 10, 2009 at 12:45 am
Digs (1/9/2009)
SO are you saying the code in asp.net codebehind and TSQL 2005 stored proceedures can be hacked ...?????
Anyone that has login rights to the SQL Server and either execute or view definition permissions on a stored procedure can read it's contents. That includes the database administrators.
It's not so much that they can be hacked. It's that it's bad practice to put a unencrypted password down anywhere. What if someone steals a USB drive that has the source code? Hacks the server and reads the .aspx files, etc?
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
January 10, 2009 at 10:51 am
very good point...thanks, and I will lock them all up...
Viewing 5 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply