Re: Encrypt / Decrypt password?
From: Matt Barton (firstname.lastname@example.org)
- Next message: MdB: "i am so mad!!!!!"
- Previous message: Matt Barton: "Re: SQL Server Security"
- In reply to: Mn: "Encrypt / Decrypt password?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Matt Barton <email@example.com> Date: Fri, 24 May 2002 22:44:09 -0500 To: Mn <firstname.lastname@example.org>
-----BEGIN PGP SIGNED MESSAGE-----
On Fri, 24 May 2002, Mn wrote:
> Environment: NT 4.0 Server (w/ latest service pack), MS-SQL Server 6.5,
> ASP, IIS 4.0
> Web application has a login / password ASP page.
> Would like to know how users' password could be encrypted and stored in
> the database. Also, should be able to decrypt the password to facilitate
> "Email my password" functionality for users who forget their password.
> Tried CAPICOM.DLL. But it encrypts a 10 character plain text to 142
> characters (for Algorithm = 3, 3DES). This would require password column
> in application table to be of approximately 150 characters!!! (there are
> 2000 users! Would like to avoid large column width).
> Am not sure if I could use CAPICOM.DLL for this purpose.
We've got a programmer in our company who is using CAPICOM.DLL for an
internal application we're building. As I understand it, once the key has
been cracked, all passwords become vulnerable. I may be wrong on that.
Personally, I believe the most secure thing to do is to store you all
passwords as hashes, in either SHA1 or MD5. No key, and passwords have to
be brute-forced individually.
You can still do the "e-mail my password" functionality by validating
other information about the user and then e-mailing a new password to them
which they could change later. Better yet, you can send them an e-mail
with a URL that will force them to reset their password.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)
-----END PGP SIGNATURE-----