Saturday, February 25, 2012

scramble password

Hello group,
I have a fairly simple question (hopefully simple anyway). I have a table
that has basic application user data: name, address, city, email, password.
I now have a requirement to in bulk take the password and encrypt them. The
y
have already given me the function name to use: ToBase64Sting().
Here is the question; how can I run the password field into this function in
a stored procedure? I am not familier with this function but have done some
reading. I suspect I would just place the scrambled password into a second
field and delete the original, then rename the field. Any suggestions?update YourTable
set password = dbo.ToBase64Sting(password)
try doing this first and look at the the 2 fields
select password ,dbo.ToBase64Sting(password ) from YourTable
http://pixsells.blogspot.com
"Rich" wrote:

> Hello group,
> I have a fairly simple question (hopefully simple anyway). I have a table
> that has basic application user data: name, address, city, email, password
.
> I now have a requirement to in bulk take the password and encrypt them. T
hey
> have already given me the function name to use: ToBase64Sting().
> Here is the question; how can I run the password field into this function
in
> a stored procedure? I am not familier with this function but have done so
me
> reading. I suspect I would just place the scrambled password into a secon
d
> field and delete the original, then rename the field. Any suggestions?|||Rich wrote:
> Hello group,
> I have a fairly simple question (hopefully simple anyway). I have a
> table that has basic application user data: name, address, city,
> email, password. I now have a requirement to in bulk take the
> password and encrypt them. They have already given me the function
> name to use: ToBase64Sting().
> Here is the question; how can I run the password field into this
> function in a stored procedure? I am not familier with this function
> but have done some reading. I suspect I would just place the
> scrambled password into a second field and delete the original, then
> rename the field. Any suggestions?
Is the function they gave you a SQL Server callable function? If so, you
can just update the table directly, assuming the return value from the
function (which is likely just ASCII) is compatible with the data type
you are using for the column in the table. Something like:
Update
dbo.MyTable
Set
Password = dbo.ToBase64String(Password)
BTW, why are you storing passwords in the database? Base64 is not an
encryption scheme. It is an encoding scheme, used mainly by email system
to send attachments. Base64 is not secure and anyone with internet
access will be able to turn that Base64 value into the original
password. So, you may want to reconsider storing passwords in the
database.
David Gugick
Quest Software
www.imceda.com
www.quest.com|||Hello David,
see http://support.microsoft.com/defaul...kb;en-us;317535
I thought that this function would be available from the SQL Server however
this function does not appear to be part of TSQL. I tried the code fragment
you posted and I am thinking this will not work. This functionis something
the my web developers I work with are using so you comment about being secur
e
over the web scares me...
Rich
"David Gugick" wrote:

> Rich wrote:
> Is the function they gave you a SQL Server callable function? If so, you
> can just update the table directly, assuming the return value from the
> function (which is likely just ASCII) is compatible with the data type
> you are using for the column in the table. Something like:
> Update
> dbo.MyTable
> Set
> Password = dbo.ToBase64String(Password)
> BTW, why are you storing passwords in the database? Base64 is not an
> encryption scheme. It is an encoding scheme, used mainly by email system
> to send attachments. Base64 is not secure and anyone with internet
> access will be able to turn that Base64 value into the original
> password. So, you may want to reconsider storing passwords in the
> database.
>
> --
> David Gugick
> Quest Software
> www.imceda.com
> www.quest.com
>|||I see what you are doing we used to do the same
You use .NET encryption the function you mentioned is a .NET function
Have one of your web guys write a script to loop through the table and
update the password with the encrypted string
There is no way you can do this in SQL server 2000 (as far as I know that is
)
http://sqlservercode.blogspot.com/
"Rich" wrote:
> Hello David,
> see http://support.microsoft.com/defaul...kb;en-us;317535
> I thought that this function would be available from the SQL Server howeve
r
> this function does not appear to be part of TSQL. I tried the code fragme
nt
> you posted and I am thinking this will not work. This functionis somethin
g
> the my web developers I work with are using so you comment about being sec
ure
> over the web scares me...
> Rich
> "David Gugick" wrote:
>|||Hello SQL,
yes, yes, yes, you understand! I just need a loop to update that field with
that function they suggested! The problem is I will end up make the "loop".
I am looking at making this looper in MSAccess, connect to the table, run th
e
loop and be done with this. I just need to understand if this is a standard
VB function that I can drop the field into the function and let the thing
return the encrypted password.
Rich
"SQL" wrote:
> I see what you are doing we used to do the same
> You use .NET encryption the function you mentioned is a .NET function
> Have one of your web guys write a script to loop through the table and
> update the password with the encrypted string
> There is no way you can do this in SQL server 2000 (as far as I know that
is)
> http://sqlservercode.blogspot.com/
>
> "Rich" wrote:
>|||I don't know if MS Access will work
We used C# ASP.NET but I was not involved with this process
I don't know if MS Access can access those functions since they are .NET
specific
try one of the .NET newsgroups for this question
http://sqlservercode.blogspot.com/
"Rich" wrote:
> Hello SQL,
> yes, yes, yes, you understand! I just need a loop to update that field wi
th
> that function they suggested! The problem is I will end up make the "loop
".
> I am looking at making this looper in MSAccess, connect to the table, run
the
> loop and be done with this. I just need to understand if this is a standa
rd
> VB function that I can drop the field into the function and let the thing
> return the encrypted password.
> Rich
> "SQL" wrote:
>|||Store a hash of the password not the password itself. Hash the input and
compare both hashes to determine if they are the same. There are some
undocumented hash functions in SQL (don't remember the names) but you really
should hash it then send it to the server for comparison rather than send
the plain text password across the wire.
Derek Davis
ddavis76@.gmail.com
"SQL" <SQL@.discussions.microsoft.com> wrote in message
news:F32DD3BB-A829-456F-AF2A-18AA6D1FEEDB@.microsoft.com...
>I don't know if MS Access will work
> We used C# ASP.NET but I was not involved with this process
> I don't know if MS Access can access those functions since they are .NET
> specific
> try one of the .NET newsgroups for this question
> http://sqlservercode.blogspot.com/
>
> "Rich" wrote:
>

No comments:

Post a Comment