Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Storing passwords in sql server

  • 31-05-2007 2:18pm
    #1
    Registered Users, Registered Users 2 Posts: 872 ✭✭✭


    Hi,

    Im creating a small app that will enable the user to login once their account has been created. If they have forgotten their password they will be able to get it sent to their email address.

    What is the best way to store a password in a db ?

    If i hash the password will i be able to email it to the user if they forget it ?

    What about encryption, is this easy to implement ?

    Thanks


Comments

  • Closed Accounts Posts: 17,208 ✭✭✭✭aidan_walsh


    grahamor wrote:
    If i hash the password will i be able to email it to the user if they forget it ?
    No. But passwords should never be sent by email anyway.

    What you should do in the case of a forgotten password is point the user to a form that allows them to change the password. You will needs to take additional details in order to verify that it is the user in question - the infamous "secret question". This has the inenviable job of being secret enough that nobody but the user will be able to answer it, but not so difficult that the user will forget. You'll have a fun time trying to pick that one...


  • Registered Users, Registered Users 2 Posts: 7,518 ✭✭✭matrim


    If you are using SQL Server 2005, it has built in encryption using 3DES (I think).

    If it's SQL server 2000 you need to get a third party app or do it yourself before storing the password.


  • Closed Accounts Posts: 2,616 ✭✭✭8k2q1gfcz9s5d4


    MD5 hashing would be ok to use, if it is a small enough app


  • Registered Users, Registered Users 2 Posts: 9,579 ✭✭✭Webmonkey


    Message Digest is one way encryption so once encrpyted it cannot be decrypted - hense the server cannot email out the password.

    What should be done like Aiden said is a secret question and once they answer this correctly, they get to change their password.

    Of course you could get the server to change the password and send out the non encrypted version to the user by email but that wouldn't be the recommended way.


Advertisement