| Author |
Topic |
|
dand999
Starting Member
7 Posts |
 Posted - 2010-08-26 : 16:18:21
|
| We have a SS2000 database. It is used as the backend for a website. One table has the user's login and passwords. The passwords look to be encrypted. Does SS2000 have the capability to encrypt the passwords or is that something that the application may have done? I read somewhere that there is no built-in column value encryption technique in SS2000. Is that true? If it's possible for SS2000 to encrypt a column, is there a way to decrypt those passwords. The database is being moved to a new vendor and the intent is to move the data to an Oracle database. They don't want to ask the users to register again if possible.Thanks for your help.DanD |
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
|
|
SwePeso
Patron Saint of Lost Yaks
30421 Posts |
Posted - 2010-08-26 : 17:24:39
|
It may not even be encrypted passwords. It is more likely to be hash values, derived from a password and some salt.
N 56°04'39.26"E 12°55'05.63" |
 |
|
|
dand999
Starting Member
7 Posts |
|
|
dand999
Starting Member
7 Posts |
Posted - 2010-08-26 : 20:30:08
|
quote:
Originally posted by Peso
It may not even be encrypted passwords. It is more likely to be hash values, derived from a password and some salt.
N 56°04'39.26"E 12°55'05.63"
I think I read somewhere that it would be next to impossible to get the passwords from the hash values - with or without salt. Correct?Thanks |
|
|
|
dand999
Starting Member
7 Posts |
Posted - 2010-08-26 : 20:31:49
|
quote:
Originally posted by dand999
quote:
Originally posted by tkizer
The application is doing the encryption. Do you have access to the source code?Tara KizerMicrosoft MVP for Windows Server System - SQL Serverhttp://weblogs.sqlteam.com/tarad/Subscribe to my blog
Can Sql Server create the hash values? If so, can it get the passwords back from the hash values?So there is no capability within SS2000 to do the encryption? I think the web site was written in php. Do you know if php can do encryption?Thanks
|
|
|
|
Kristen
Test
22859 Posts |
Posted - 2010-08-27 : 01:50:33
|
THe point of HASH + SALT is that even if the database is stolen it will not be possible to work out what people's passwords were. Assume that your users are using the same password that they use for their online banking  - it is best that you do not let a minor security lapse on your system turn into headline news!IF your system is doing this then there is no way to reverse engineer a password. You cannot send your users "Forgotten password reminder" emails - you will have to use some other system like a temporary password and force them to then change their password.To check if a user's password is correct you process it using the SALT and the HASH and then compare it against the value stored in the database - if they are the same then the user has the correct password.It is also possible that the passwords are encrypted - i.e. they can be reversed. That would most probably be done in your application (because then they would be secure in transit to SQL as well).All that aside, I think there are some undocumented system stored procedures in SQL 2000 for encrypting passwords. |
|
|
|
dand999
Starting Member
7 Posts |
Posted - 2010-08-27 : 08:07:32
|
quote:
Originally posted by Kristen
THe point of HASH + SALT is that even if the database is stolen it will not be possible to work out what people's passwords were. Assume that your users are using the same password that they use for their online banking - it is best that you do not let a minor security lapse on your system turn into headline news!IF your system is doing this then there is no way to reverse engineer a password. You cannot send your users "Forgotten password reminder" emails - you will have to use some other system like a temporary password and force them to then change their password.To check if a user's password is correct you process it using the SALT and the HASH and then compare it against the value stored in the database - if they are the same then the user has the correct password.It is also possible that the passwords are encrypted - i.e. they can be reversed. That would most probably be done in your application (because then they would be secure in transit to SQL as well).All that aside, I think there are some undocumented system stored procedures in SQL 2000 for encrypting passwords.
Thanks Kristen. Can SQL Server 2000 insert the hash values or would that have to be done by the application? |
|
|
|
dand999
Starting Member
7 Posts |
Posted - 2010-08-27 : 08:18:59
|
quote:
Originally posted by Kristen
THe point of HASH + SALT is that even if the database is stolen it will not be possible to work out what people's passwords were. Assume that your users are using the same password that they use for their online banking - it is best that you do not let a minor security lapse on your system turn into headline news!IF your system is doing this then there is no way to reverse engineer a password. You cannot send your users "Forgotten password reminder" emails - you will have to use some other system like a temporary password and force them to then change their password.To check if a user's password is correct you process it using the SALT and the HASH and then compare it against the value stored in the database - if they are the same then the user has the correct password.It is also possible that the passwords are encrypted - i.e. they can be reversed. That would most probably be done in your application (because then they would be secure in transit to SQL as well).All that aside, I think there are some undocumented system stored procedures in SQL 2000 for encrypting passwords.
Is there a way to tell by looking if the data is hash values or if it is encrypted? |
|
|
|
SwePeso
Patron Saint of Lost Yaks
30421 Posts |
Posted - 2010-08-27 : 09:05:12
|
quote:
Originally posted by dand999
Is there a way to tell by looking if the data is hash values or if it is encrypted?
No.Even if you KNOW it's encrypted, you will have to know two things1) The password, of course2) The decrypting algorithm
N 56°04'39.26"E 12°55'05.63" |
|
|
|
dand999
Starting Member
7 Posts |
Posted - 2010-08-27 : 09:43:34
|
quote:
Originally posted by Peso
quote:
Originally posted by dand999
Is there a way to tell by looking if the data is hash values or if it is encrypted?
No.Even if you KNOW it's encrypted, you will have to know two things1) The password, of course2) The decrypting algorithm
N 56°04'39.26"E 12°55'05.63"
Thanks Peso |
|
|
|
|
column encryption SS2000