1

I have a program where the user inputs a password to log in. The password is then saved within a SQL 2000 Database table called users.

The problem is that any one who has SQL Query Analyzer or Enterprise Manager can very easily read these passwords.

I want the program to construct a GUID from each user's password and store that GUID inside the SQL table and then when it's validating user password input it deconstructs the related GUID and gets the original string value to match it with user input.

Now I'm not sure this is possible but I heard some IT specialists talking about the subject and they weren't the kind you would ask for help.

SchmitzIT
  • 9,227
  • 9
  • 65
  • 92
Salah Mousa Basha
  • 45
  • 7
  • 2
    Take a look at [Difference between Hashing a Password and Encrypting it](http://stackoverflow.com/questions/326699/difference-between-hashing-a-password-and-encrypting-it) then [Is it possible to calculate MD5 hash directly in T-SQL language?](http://stackoverflow.com/questions/910617/is-it-possible-to-calculate-md5-hash-directly-in-t-sql-language) – Alex K. Nov 08 '12 at 14:29

3 Answers3

3

You're probably trying to re-invent the wheel here. There are lots of standard Password Hashing solutions out there.

Dennis Traub
  • 50,557
  • 7
  • 93
  • 108
  • Wow! now that's a whole new field for me to start studying but a very interesting one indeed (Password Hashing) you are Amazing, Thank you so much! – Salah Mousa Basha Nov 09 '12 at 14:37
  • @SalahMousaBasha happy to help. Please accept the answer by activation the checkmark, if it was helpful. – Dennis Traub Nov 09 '12 at 15:00
2

I think you should use Encryption your password while storing in Database & then, Decryption the encrypted password fro validation.

Also, you can use Hashing. Check this: Salted Password Hashing - Doing it Right

BTW:

Hashes are one-way functions. You cannot derive the original data from a hash.

In case of Encryption, the original data is recoverable from the encrypted data.

Refer:

Encryption/Decryption Function in .NET using the TripleDESCryptoServiceProvider Class

How to Encrypt or Decrypt password using Asp.Net with c#

Kapil Khandelwal
  • 15,958
  • 2
  • 45
  • 52
0

I believe I'll go with the Hash() method which I learned much about from going through the Links U provided http://crackstation.net/hashing-security.htm Thank you.

Salah Mousa Basha
  • 45
  • 7