• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
RE: How should password be stored in Database?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: How should password be stored in Database?

  • Subject: RE: How should password be stored in Database?
  • From: "Albert Jagnow" <email@hidden>
  • Date: Tue, 3 Jun 2003 15:21:20 -0500
  • Priority: normal
  • Thread-topic: How should password be stored in Database?
For making passwords secure in a database it does not so much matter the
type of field the data is stored in, rather what algorithm is used to
store the data. For storing passwords you should use some type of hash
like MD5, SHA, etc.  Something that is a one way conversion and can not
be converted back to the users password.  Unlike a credit card number
there is generally no need to get the password back into any readable
form, you only need to validate what the user enters.  To validate the
password you just hash what the user entered and compare that to the
hash that is stored in the database.  Take a look at the java security
classes for details on this.

http://java.sun.com/j2se/1.4.2/docs/api/java/security/MessageDigest.html

Hashes like MD5 and SHA create an output of a fixed length of bytes
regardless of the input.  So you just need enough room in the database
to store these bytes.  What I have done in the past is convert the
output from the hash in to a hex string and just store that as a string
in the database.  MD5 for example when converted into a hex string is
always 32 characters.

Here is some very simple MD5 hashing sample code, I just typed this out,
it has not been tested so be warned.

import java.security.*;

public String getHashAsHexString(String userInputPasswordString){
try{
	MessageDigest algorithm = MessageDigest.getInstance("MD5");
	algorithm.reset();
	algorithm.update(userInputPasswordString.getBytes());
	byte[] digest = algorithm.digest();
	//convert to hex
	StringBuffer hexDigest = new StringBuffer();
	for(int i=0; i< digest.length; i++){
		//should really add code to really pad out leading 0's
here
		hexDigest.append(Integer.toHexString(0xFF & digest[i]));
	}
	return hexDigest.toString();
}catch(NoSuchAlgorithmException error){
	...
}
}

There are those applications where if you forget your password you can
have it emailed to you.  In that case some type of encryption rather
than a hash would be required as you would need to be able to retrieve
what the user entered.  I prefer to not to ever email password
information, and make the user contact someone to have their password
reset if they forget it.  Then again many of the applications I have
worked on that require passwords were finance applications, and had a
fairly high security requirement.

Securely storing the password is only one layer of the security process.
To make sure the data is really secure you will want to make sure access
to the database is secure as well.  Also use SSL or some other secure
way of transmitting the password from the browser to the application.

--Albert

-----Original Message-----
From: Alex Eagar [mailto:email@hidden]
Sent: Tuesday, June 03, 2003 12:21 PM
To: email@hidden
Subject: How should password be stored in Database?


I'm designing a new database (MySQL) for a WebObjects application.  In
EOModeler I have an attribute called "password."  I could store it as
an NSData/BLOB, NSString/TEXT, or perhaps something else.  the NSString
doesn't seem like it would be very secure, what do you think a good
option would be.  I'm not a Database expert, but I know the basics of
how to run one.  This is for a family program, but I'd like to get into
good habits as far a security goes for future projects.

Thanks for your time,
Alex Eagar
_______________________________________________
webobjects-dev mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/webobjects-dev
Do not post admin requests to the list. They will be ignored.


This e-mail (including any attachments) is covered by the Electronic
Communications Privacy Act, 18 USC. 2510-2521. It is confidential and
may be legally privileged. If you are not the intended recipient, you
are hereby notified that any retention, dissemination, distribution, or
copying of this communication is strictly prohibited. Please reply to
the sender that you have received the message in error, and then delete
it. Thank you.
_______________________________________________
webobjects-dev mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/webobjects-dev
Do not post admin requests to the list. They will be ignored.
  • Prev by Date: Re: Encryption Code Problem
  • Next by Date: Re: Encryption Code Problem
  • Previous by thread: How should password be stored in Database?
  • Next by thread: Re: Outer Join Question [solution]
  • Index(es):
    • Date
    • Thread