I've created a default MVC 4 project with login authentication
When I register for an account with password: 123456
Why is it stored in the SQL database as: ALWsAlpVTehuGr7W2jaGwoX3Ww0RE5GC+yYDITvCpCdHmIIrX7vwMoTW3cEbMsGd4w==
If so, how does it compare the 2 strings to check whether the password entered is correct?
By default when passwords are stored in an SQL database they are encrypted. When you try logging in again the password will be encrypted before the authentication attempt, then this encrypted password will be compared to the one stored in the database.
It is disturbingly common for companies databases to become compromised. Imagine if a hacker got a copy of your database and right there was everyone's usernames and passwords in plain text. Most people use the same password for multiple sites so imagine the repercussions. Whereas if the hacker only has the encrypted passwords there is no way to reverse the salt and get the original plain text passwords out.
Related
Is there a way to view the password of non-sysadmin accounts on SQL Server 2016?
I'm a database admin. I can simply change the password for the user, but I'd love to know if there is a way I can retrieve the password without resetting it.
In SQL Server user and login passwords are never stored; they are hashed. When a user logs in by presenting a password, that password is hashed and compared to the stored hash.
My vba code in an MS Access database (which has access to a SQL Server) has - for reasons I have no control over - to control a ftpUser. So there is the need to use the ftpUsername and the corresponding password. For this I have to create a string like this: "ftp://do-main\thFtpUser:thesecretPwd/some/path/" and pass it to a internal web service.
How to store the password, so the person who works with the MS Access file (aka the user) has no access to the password of the ftp user? At least it should be as difficult as possible for the user to get the password.
The solution used here: MS access Encrypt Users Passwords Stored in User Table (SQL) is just a step more to obscure the password. But everyone who has access to the VBA code and the SQL Server can get the password in plain text.
Other solutions like storing just the hash and comparing the input will not work because I have to construct the string to pass it to another program.
I already figured out that the password should at least be in the SQL Server database so not everyone who got to the MS Access file with the code can get the password.
You can make an MS Access executable file (accde) and distribute. That way your VBA code incl. ftp credentials will be (reasonably) hidden from (general) users.
I have to encrypt the password in database table.
In stored procedure(for login) password will come as input, that password I need to encrypt inside the procedure and match with the encrypted password in my database table.
I should not decrypt password.
I tried EncryptByPassPhrase for encryption but the problem here is every time it will generate some new random number. so when I tried to encrypt the input password it generated a different encrypted password and it didn't match with my encrypted password in my db table
It can be achieve by using HASHBYTES('SHA2_512', 'password') it will give the same encryption every time.
There is a ready-made SDK (Virgil Security PureKit SDK) that is an implementation of the Password-Hardened Encryption (PHE) protocol – a powerful and revolutionary cryptographic technology that provides stronger and more modern security, that secures users' data and lessens the security risks associated with weak passwords.
PureKit SDK allows developers to interact with PHE Service to protect users' passwords and sensitive personally identifiable information (PII data) in a database from offline/online attacks and makes stolen passwords/data useless if your database has been compromised. Neither Virgil nor attackers know anything about users' passwords/data.
I have read that one way to store passowrds in a database is by the following way. To have a database table with columns username, hash and salt. The salt would never be shown.
I generate the hash with password + salt. The password is send by the user and is not stored in the database. If the generated hash is the same as that stored in the database, the password is correct.
But I have my doubts. If I send the password, it could be sniffed while it is transmitted by the wire, so I think that it is neccesary to encrypt the communication too. So using a hash and salt is only to protect the data from the administrator? I mean that if I store the password in database, an administrator could easily access all information. If I store the hash, the administrators can't access to the information of users becasue the administrator don't have the half of the information, only the salt and not the password. However, while the user need to send the password, this could be sniff by someone, so the password is exposed.
How is the best way to protect the information of the user?
Thanks.
Hashed passwords also protect your data from outsiders. Imagine, if someone accessed your data using a SQL injection he would only get a hash & not the pass. You can use HTTPS for secure communication over your network & use your existing table of hashed passwords for a good security model. Secure salted password hashing
If you have to transmit the password in clear then you must protect it in transit. From browser to http server you need SSL/TLS. From application server to database you need encrypted connections.
There are schemes that don't require the transmission of password, the best know being HTTP Digest. You can store Digest's HA1 part in the database. The realm secret and user name contained in the HA1 digest contain as an effective protection against rainbow tables, but the fact that Digest is still based on MD5 makes the scheme relatively weak against a sufficiently well equipped brute force. However such a brute force would only reveal a colission that is specific to the given user name and realm, thus making it of very little use.
Is it possible to retrieve (if the user has sa rights) the password of a user in SQL Server 2008 R2?
The scenario is this: I need to automatically store in a document the list of all usernames and passwords, but without changing the password, just reading the actual password.
Is this possible or not?
Yes you can for SQL logins.
You read the hashed passwords sys.sql_logins (maybe only via the DAC) and use a tool like NGS SQLCrack.
However, there is almost no requirement ever to keep these in a document.
For Windows based logins, no. The password is in AD.
And read this: "What are the arguments for and against a network policy where the sys admin knows users passwords?"