Page 1 of 1

store password

Posted: Wed Sep 03, 2008 12:46 pm
by abalfazl
Hello!


Can you avoid storing the secret?
If you use an alternative implementation technique, it could remove the need to
store secrets. For example, if all you need to do is verify that a user knows a
password, you do not need to store passwords. Store one-way password hashes
instead.
Also, if you use Windows authentication, you avoid storing connection strings
with embedded credentials.
What is "one-way password hashes"? Which "alternative implementation techniques" Do you suggest for store password?



Do You Store Secrets?
Secrets include application configuration data, such as account passwords and
encryption keys. If possible, identify alternate design approaches that remove any
reason to store secrets. If you handle secrets, let the platform handle them so that the
burden is lifted from your application wherever possible.

May someone explain more about this:" If you handle secrets, let the platform handle them so that the
burden is lifted from your application wherever possible"

Re: store password

Posted: Wed Sep 03, 2008 12:51 pm
by andyhoneycutt
a one-way password hash is a good way to make sure you can't give away secrets even if you wanted to. For instance, let's say my password is "cheese". If I one-way encrypt this with say, md5, and store it that way I lose access to whatever that password really is. Then, in the future if I want to check to see if I've typed my password correctly I'll md5 my input and compare it to the stored md5 password.

Two-way encryption allows you to decode the secret in question. I prefer to use one-way encryption because it takes (nearly) all responsibility off me as a developer/dba.

-Andy

Re: store password

Posted: Wed Sep 03, 2008 4:00 pm
by Mordred
"one-way" means the function output cannot be directly reversed to recover the input. Other attacks are quite possible. My research shows that about 50% percent of unsalted passwords are trivially recoverable, and 80% are recoverable within 24 hours.

Details on the possible attacks and counter-measures are here:
viewtopic.php?t=62782