Saturday, February 25, 2012

best datatype to save password

Hi,

what is the best datatype to save user's passwordin an encrypted format? Is there any ready datatype for that or i have to send the password enrypted to the database?

Thanks..

If you send it in clear text to the server and then checks for it anyone that has access to the connection between your application and server would be able to have a look at the password. The best practive would be to use a recognized one way hashing algorithm and send only that over the connection.

This way it will be up to your application to hash and match password and snooping on the line will be less interesting for hackers.

|||

dose this mean SQL Server dosen't have a ready encrypted datatype?

if yes, what would be the best way to encrypt if i am using C#?

thanks.

|||

SHA256 would probably be stronger than most expect.
http://msdn2.microsoft.com/en-us/library/system.security.cryptography.sha256.aspx

Store it as varbinary(32)

|||

An SHA256 hash (or any hash, for that matter) of the password alone is completely insecure unless strong passwords or pass phrases are used. Although SHA256 is technically a "one-way" transformation, in reality, it is easy to decode if the plain text is just a word. All that's necessary is to search for the hashed password in a dictionary of the SHA256 hashes of the million most common words. SHA256 is a reasonable choice as a message digest to signal unauthorized changes to the message, but it is not intended or useful for encoding single words. Steve Kass Drew University Andreas Johansson@.discussions.microsoft.com wrote:
> SHA256 would probably be stronger than most expect.
> http://msdn2.microsoft.com/en-us/library/system.security.cryptography.sh
> a256.aspx
>
> Store it as varbinary(32)
>
>

|||

Can nothing but agree, it is important to use strong passwords.

http://en.wikipedia.org/wiki/Password_strength

No comments:

Post a Comment