How to store passwords in database securely? - sql-server

I have read that one way to store passowrds in a database is by the following way. To have a database table with columns username, hash and salt. The salt would never be shown.
I generate the hash with password + salt. The password is send by the user and is not stored in the database. If the generated hash is the same as that stored in the database, the password is correct.
But I have my doubts. If I send the password, it could be sniffed while it is transmitted by the wire, so I think that it is neccesary to encrypt the communication too. So using a hash and salt is only to protect the data from the administrator? I mean that if I store the password in database, an administrator could easily access all information. If I store the hash, the administrators can't access to the information of users becasue the administrator don't have the half of the information, only the salt and not the password. However, while the user need to send the password, this could be sniff by someone, so the password is exposed.
How is the best way to protect the information of the user?
Thanks.

Hashed passwords also protect your data from outsiders. Imagine, if someone accessed your data using a SQL injection he would only get a hash & not the pass. You can use HTTPS for secure communication over your network & use your existing table of hashed passwords for a good security model. Secure salted password hashing

If you have to transmit the password in clear then you must protect it in transit. From browser to http server you need SSL/TLS. From application server to database you need encrypted connections.
There are schemes that don't require the transmission of password, the best know being HTTP Digest. You can store Digest's HA1 part in the database. The realm secret and user name contained in the HA1 digest contain as an effective protection against rainbow tables, but the fact that Digest is still based on MD5 makes the scheme relatively weak against a sufficiently well equipped brute force. However such a brute force would only reveal a colission that is specific to the given user name and realm, thus making it of very little use.

Related

How to ensure the security of admin password stored in database for synchronization with LDAP

I have an application that needs to sync periodically to my directory service (OpenLDAP or AD).
To do so, it is necessary to bind an admin account with a DN and password, to access users on LDAP.
As far as I understand, there is the possibility of using anonymous, however for security reasons, its use is not recommended.
Since this periodic synchronization is done automatically by a routine (hourly), I need to store in addition to the account DN, also admin password in the application database.
However, passwords are usually sent to be authenticated in plaintext against
directory service (within a secure SSL / TLS connection) and the directory service itself that finds its password stored in plaintext or some hash (md5, sha-1, etc.)
How to ensure the security of admin password stored in database for synchronization with LDAP? Or, is there a best practice to implement a sync periodic using LDAP?
Applications examples that require password (admin) to read LDAP.
Moodle
(https://docs.moodle.org/37/en/LDAP_authentication#Bind_settings)
Sugar CRM (https://support.sugarcrm.com/Knowledge_Base/Password_Management/Configuring_LDAP_Authentication_Using_Active_Directory/#Prerequisites)
But it does not clear how the password is stored.
It's true that anonymous bind is disabled by default in Active Directory. However, if you are just reading, you don't need an "admin" account. You need any account. The account does not need to have any special permissions. You just need something that can authenticate to the domain.
But if you're going to be authenticating users, then you will need to get the user's password, and you can just use the user's credentials to read from LDAP. That would be true for both AD and OpenLDAP.

Is there any function to Encrypt password other than EncryptByPassPhrase and master key?

I have to encrypt the password in database table.
In stored procedure(for login) password will come as input, that password I need to encrypt inside the procedure and match with the encrypted password in my database table.
I should not decrypt password.
I tried EncryptByPassPhrase for encryption but the problem here is every time it will generate some new random number. so when I tried to encrypt the input password it generated a different encrypted password and it didn't match with my encrypted password in my db table
It can be achieve by using HASHBYTES('SHA2_512', 'password') it will give the same encryption every time.
There is a ready-made SDK (Virgil Security PureKit SDK) that is an implementation of the Password-Hardened Encryption (PHE) protocol – a powerful and revolutionary cryptographic technology that provides stronger and more modern security, that secures users' data and lessens the security risks associated with weak passwords.
PureKit SDK allows developers to interact with PHE Service to protect users' passwords and sensitive personally identifiable information (PII data) in a database from offline/online attacks and makes stolen passwords/data useless if your database has been compromised. Neither Virgil nor attackers know anything about users' passwords/data.

Print my sa password

I've logged in to my sqlserver with a registred "sa" sql account and
I want to print (not change) my current password. I can change it but I have an application using the current password.
I have done
select * from sys.sql_logins where name ='sa'
but it gives me a hashed password
If it is impossible, how to export my sa connection to another sql server instance?
WARNING - HORRIFIC PRACTICE
Change your application to use a user OTHER THAN sa, and preferably without sysadmin permissions. Usually database level db_datareader, db_datawriter, and MAYBE db_ddladmin is enough, though it may need a GRANT EXECUTE on the database.
If you can't, then argue some more. In writing.
If you lose again, go change the sa password to a long, strong, cryptographically random password in concert with the application being updated with a new password.
And make sure that instance is used ONLY for that app, so the risk is limited to that one area.
Recovering the current sa password
First, you are a sysadmin, aren't you? You should already know the sa password! If you lost twice, just change the sa password on the other instance to that same one (or, better, change them both to something better), through ALTER LOGIN (below) or the GUI.
Second, realize that EVERY USER OF THAT APPLICATION CAN GET YOUR SA PASSWORD - they can almost certainly extract it right out of the application with a hex editor, looking for the string pwd or pass (either UCS-2 "Unicode" or ASCII).
You have the application, right? Consult your local security admins, and see if you're allowed to open it up in a hex editor and find the sa password yourself.
Moving the sa password
In general, if you want to move the same password around, you can use
ALTER LOGIN sa PASSWORD = 'hash string' HASHED
to change it.
Do not do this regularly - if someone gets hashes of all your passwords (just like you're getting them), it's better that each one have a unique salt, so the attacker has to spend more work testing against many salts before they start finding passwords.
Do not do this from lower protection to higher protection - SQL Server 2005, 2008, and 2008R2 all use the same algorithm. SQL Server 2012 and 2014 use the same. Don't move a 2005/8/8R2 hash to 2012/14; it's significantly weaker (and 2012/14 password hashing is pathetic to begin with).
Thus, you're better off changing the password to what you want in cleartext, so SQL Server generates a new salt. The password hash is incredibly weak, a single iteration of SHA-1 or SHA-512, so it needs all the help it can get.

How does default MVC 4 password verification work?

I've created a default MVC 4 project with login authentication
When I register for an account with password: 123456
Why is it stored in the SQL database as: ALWsAlpVTehuGr7W2jaGwoX3Ww0RE5GC+yYDITvCpCdHmIIrX7vwMoTW3cEbMsGd4w==
If so, how does it compare the 2 strings to check whether the password entered is correct?
By default when passwords are stored in an SQL database they are encrypted. When you try logging in again the password will be encrypted before the authentication attempt, then this encrypted password will be compared to the one stored in the database.
It is disturbingly common for companies databases to become compromised. Imagine if a hacker got a copy of your database and right there was everyone's usernames and passwords in plain text. Most people use the same password for multiple sites so imagine the repercussions. Whereas if the hacker only has the encrypted passwords there is no way to reverse the salt and get the original plain text passwords out.

What is the best way to keep password in SQL Server 2008?

I am planning to save customer's sensitive information through SQL Server certificate/ (a)symmetric keys. Though data is secure now, certificate and keys are not readable, i wonder where should i put the keys? Is there any best practices? only thing i could think of is to create table only accessible to dbo or dedicated login and save there. Please give me your valuable advices.
Thanks,
Ebe.
hash the password and store the hash. if the user forgets the password send him a new one.
also give him an option to change it.
also think about implementing openId registration so you won't have to worry about logins.
Certificates can be encrypted with the database master key and the database master key can be encrypted with the server master key. The server master key is encrypted using DPAPI with the machine key and/or the account key. This is all explained in the Encryption Hierarchy.
An automated service that needs access to the encrypted data secrets can rely on this encryption hierachy. Data is protected at runtime using normal access protection (access conrrol lists and grant/deny/revoke permissions for SELECT), the encryption is added just to provide accidentall media compromise protection. Accidental media compromise protection ultimately relies on the service account password and/or on the host machine system account security.
If you need stronger protection in case of physicall loss you must use SQL 2008 and rely on the EKM infrastructure (Extensible Key Management), create a master key stored on a physical device. This will add security in case of media compromise because an attack needs physical access to the hardware crypto module that stores the master key.
A process that does not need access to the secrets does not need any of these. The access is obtaines by passwords provided by the client applications in this case, and those passwords are usually obtained from the user itself.
If you're system is of the former type (needs automated access to the secrets and does not ask the current user for an access password to the secrets) then the way to go is use the ecryption hierarchy (database master key, service master key). If the app is of the later type (it asks the user for a password to access the user's own specific secrets) then the proper solution is to have a master assymetric key encrypted with a password provided by the user.
Nowhere, and I must emphasize and repeat, NOWHERE in these schemes is there any room for a secret saved into a file, or a master password saved into a table. That is just a major design #FAIL.
Filesystem. A configuration file for example, under a directory that only the account under which your application runs can read and/or write. That assumes that you trust your data center folks of course.
On the other hand, maybe I'm not getting your question quite right. If you just want to store user passwords on a table, you should hash them (use a salt) using SHA-1 ideally. Never store passwords in clear text, regardless of the DB permissions you're using.

Resources