Forum Stats

  • 3,741,019 Users
  • 2,248,356 Discussions
  • 7,861,583 Comments

Discussions

encryption in oracle

I am creating one user table in our oracle schema, where i will be storing username and passwords. When i am storing the passwords it will be saved as plain text but instead i want to store it in encrypted format. Is there a example .

Tagged:

Answers

  • Sunny kichloo
    Sunny kichloo Member Posts: 2,443 Gold Trophy

    What kind of username and password you are going to store in oracle tables?

    What is the usecase of this username and password?

    If you want to store encrypted data you can refer below mentioned link:

    Even though above mentioned document is old but still very useful and can help with your usecase

  • Jason_(A_Non)
    Jason_(A_Non) Member Posts: 2,026 Silver Trophy
    edited Dec 14, 2020 5:57PM

    The big takeaway from that link is that passwords are hashed, not encrypted. A hash is one-way, while encryption is two-way. This means with a hash value, you cannot determine what the original text was. The user provides the password, functions hash it and either store that hash value or compare it to the previously stored hashed value.

    I did notice that Tim's article does an UPPER on the password, which is not ideal, but then your system may accept that LETMEIN is the same as LetMeIn. Not a good recommendation now. His example does properly salt the value and add something unique per each user (user name or a value stored in the DB for that user).

    Forgot to add, use the strongest hash function your version of Oracle (and/or the GUI) allows for longest life, which right now are SHA2.

  • Emad Al-Mousa
    Emad Al-Mousa Member Posts: 716 Bronze Trophy

    you can use DBMS_CRYPTO package......you can use column level encryption with TDE (encryption at rest) if you have the license for this security feature.


    Regards,

  • EdStevens
    EdStevens Member Posts: 28,237 Gold Crown

    As previosly noted, encryption is not a secure way to store a password, as it can be decrypted. And given today's tools, it can be decrypted repetitively easily. And relying on solely on TDE is even worse, as anyone with privilege to select the table will be able to select the clear text of the password. As noted, TDE is data _at rest_. It protects only against someone hacking the system and reading the raw data from the disk.

  • Emad Al-Mousa
    Emad Al-Mousa Member Posts: 716 Bronze Trophy


    True data at rest encryption will only protect data from physical access level (server level - for data files being copied/exfiltrated for example).....but I disagree regarding encryption can be cracked easily....it depends on many factors such as the encryption algorithm, key length used,.....etc. you need very powerful machines to decrypt. the question is not clear regarding what is the main purpose/objective of having this table for username/passwords in a database system in the first place, there are password management systems designed to store credentials. ......thanks for your addition in this thread.

  • EdStevens
    EdStevens Member Posts: 28,237 Gold Crown

    Yes, the purpose is important. If it is storing the password to be used by some other processs needing to connect, then it would need to be encrypted so that it can be decrypted for use by that process. On the other hand, if it is be stored for authentication, the same as oracle storing its user passwords, then hashing is the proper method.

Sign In or Register to comment.