- From: Mark Brinsmead <mark.brinsmead@xxxxxxx>
- To: BurtonL@xxxxxxxxxxx
- Date: Wed, 16 Nov 2005 11:22:08 -0700
There have been lots of good technical suggestions here. I have little
technical to add, aside from perhaps one word: "RC5". The database
encryption/obfuscation packages provide a function to compute
RC5-hashes. Give it some consideration. Oh, yes, and use a large
random "salt". If you don't alreday know what password "salting" is, I
suspect a google search (or a review of the UNIX manpages) will find you
all the information you need. (And DON'T use the "username" as the
salt, like one popular software package we all know...)
Perhaps more valuable advice is this: DO NOT USE SSN AS A DEFAULT PASSWORD!
I do not have detailed knowledge of U.S. legislation regarding SSNs, however, if it is anything like the Canadian counterpart then it is probably unlawful to use SSNs for ANYTHING other than reporting tax/employment information to the government.
I know that you probably have concerns about secure means of transmitting initial passwords to users (which are next to non-existant), but as a user of your system I would be much more comfortable with a randomly-generated initial password delivered by public e-mail than with the knowledge that your application code (and application developers) have access to my SSN. Of course, this does depend (a lot) on what that password can be used to access...
Anyway, that's just my two-cent's worth. Happy password hashing.
Cheers, -- Mark Brinsmead
Justin Cave (DDBC) wrote:
Oracle has DBMS_OBFUSCATION_TOOLKIT (pre-10g) and DBMS_CRYPTO (post 10g) packages that allow you to both encrypt data and to hash it. For password storage, you almost certainly want to hash the password (which is unrecoverable) rather than encrypting it (which is recoverable). Oracle, Unix, and just about every other platform will hash passwords
Tom Kyte has an excellent discussion on this topic here-
*From:* oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] *On Behalf Of *Burton, Laura
*Sent:* Tuesday, November 15, 2005 5:03 PM
We have a new user which will be created an account in an application (not a database user) by inserting into a table. When this occurs a trigger is fired to insert the user into other tables. A field in one of the tables is an encrypted password. We want the initial password to be the person's ssn, which was input into the table which fired the trigger. Does oracle have an encryption process that can be executed to encrypt the ssn, in this example, before inserting into another table? We have looked on OTN but could not find anything. I know the easy thing to do would be to use a generic password so that we could just move the encrypted password in every time, but our user wants ssn so that it will be unique to that user until they are prompted to change their password on the initial log in to the application. Again, this is not a database user.
Thanks for the feedback.
- RE: Encryption
- From: Justin Cave (DDBC)
- RE: Encryption