Storing passwords in sql server

grahamor · 31-05-2007 03:18PM #1

Hi,

Im creating a small app that will enable the user to login once their account has been created. If they have forgotten their password they will be able to get it sent to their email address.

What is the best way to store a password in a db ?

If i hash the password will i be able to email it to the user if they forget it ?

What about encryption, is this easy to implement ?

Thanks

aidan_walsh · 31-05-2007 03:22PM

grahamor wrote:

If i hash the password will i be able to email it to the user if they forget it ?

No. But passwords should never be sent by email anyway.

What you should do in the case of a forgotten password is point the user to a form that allows them to change the password. You will needs to take additional details in order to verify that it is the user in question - the infamous "secret question". This has the inenviable job of being secret enough that nobody but the user will be able to answer it, but not so difficult that the user will forget. You'll have a fun time trying to pick that one...

matrim · 31-05-2007 04:39PM

If you are using SQL Server 2005, it has built in encryption using 3DES (I think).

If it's SQL server 2000 you need to get a third party app or do it yourself before storing the password.

8k2q1gfcz9s5d4 · 01-06-2007 11:15AM

MD5 hashing would be ok to use, if it is a small enough app

Webmonkey · 01-06-2007 05:18PM

Message Digest is one way encryption so once encrpyted it cannot be decrypted - hense the server cannot email out the password.

What should be done like Aiden said is a secret question and once they answer this correctly, they get to change their password.

Of course you could get the server to change the password and send out the non encrypted version to the user by email but that wouldn't be the recommended way.

Storing passwords in sql server

Comments