Subject Re: [firebird-support] Re: I want to store encrypted passwords in a VARCHAR(50) field
Author Kjell Rilbe
Den 2012-11-23 18:36 skrev red_october2009 såhär:
> [snip]
> Problem: I need to store thousands of encrypted passwords using cps in
> a FB database. FB has no problem handling this data, but dbExpress,
> although it's a great product, has a couple limitations with
> transferring binary data not in a BLOB type zero field.
> [snip]
> [snip]
> This method works because each product is handling something it is
> familiar with. Security is maintained even if some one breaks into
> your DB, they can't see everyone's password.

Actually, this is not very safe. There have been numerous(?) scandals
where password databases have been stolen and published, even if the
passwords were encrypted.

You should really not store decryptable passwords at all. You should,
instead, store a hash. When someone tries to log in, you don't decrypt
the stored password and compare it with the one entered. Instead you
hash the entered password and compare it with the hash you've stored.
This way, it's "impossible" to steal your password database.

I quoted "impossible", because it is actually possible to crack them
even in a hashed state using brute force techniques combined with some
intelligent methods to reduce the "brute" of that "force". ;-)

You should choose a strong hash algorithm, e.g. RFC 2898, because it is
slow and thus makes a brute force attack more costly and less viable.

Some reading:


Kjell Rilbe
Telefon: 08-761 06 55
Mobil: 0733-44 24 64