Discussions
Categories
- 382.3K All Categories
- 2.1K Data
- 209 Big Data Appliance
- 1.9K Data Science
- 448K Databases
- 221K General Database Discussions
- 3.7K Java and JavaScript in the Database
- 25 Multilingual Engine
- 520 MySQL Community Space
- 467 NoSQL Database
- 7.8K Oracle Database Express Edition (XE)
- 2.9K ORDS, SODA & JSON in the Database
- 492 SQLcl
- 3.9K SQL Developer Data Modeler
- 186.2K SQL & PL/SQL
- 21K SQL Developer
- 293.3K Development
- 7 Developer Projects
- 128 Programming Languages
- 290K Development Tools
- 95 DevOps
- 3K QA/Testing
- 645.5K Java
- 24 Java Learning Subscription
- 36.9K Database Connectivity
- 149 Java Community Process
- 104 Java 25
- 22.1K Java APIs
- 137.9K Java Development Tools
- 165.3K Java EE (Java Enterprise Edition)
- 16 Java Essentials
- 144 Java 8 Questions
- 85.9K Java Programming
- 79 Java Puzzle Ball
- 65.1K New To Java
- 1.7K Training / Learning / Certification
- 13.8K Java HotSpot Virtual Machine
- 94.2K Java SE
- 13.8K Java Security
- 198 Java User Groups
- 24 JavaScript - Nashorn
- Programs
- 266 LiveLabs
- 36 Workshops
- 10.2K Software
- 6.7K Berkeley DB Family
- 3.5K JHeadstart
- 5.8K Other Languages
- 2.3K Chinese
- 166 Deutsche Oracle Community
- 1.2K Español
- 1.9K Japanese
- 230 Portuguese
Best practices of storing passwords in DB
Hello Experts
I found this article. However, it is old (for 9i)
https://oracle-base.com/articles/9i/storing-passwords-in-the-database-9i
What are the latest best practices of storing passwords in DB.
I would appreciate any help
Regards
Mahmoud
Best Answer
-
PBKDF2 is a better algorithm for hashing passwords because it is deliberately functionally slow to compute (when compared to say SHA-2, which is a quick algorithm), this counters brute force attacks, where the attacks typically try millions or billions of attempts. That slower algorithm coupled with scales of magnitude, makes it very safe.
I've used PBKDF2 outside of Oracle, but wasn't aware it was available in 12c. The same basic principles apply as mentioned in my previous posts.
Answers
-
Mahmoud_Rabie wrote:Hello ExpertsI found this article. However, it is old (for 9i)https://oracle-base.com/articles/9i/storing-passwords-in-the-database-9i What are the latest best practices of storing passwords in DB.I would appreciate any helpRegardsMahmoud
The article itself may be old, but it is still sound. Storing the password as a one-way hash, then verifying presented credentials by using the same hash function and comparing the resulting hash value with what is stored is still exactly how oracle stores its own passwords.
The reason the article is "old" is because there has been no reason to "update".
-
What are the latest best practices of storing passwords in DB.
Same as always: DON'T DO IT!
The general rule for most things Oracle is don't do something with a valid requirement for doing it.
Please tell us WHY you think you need to store passwords in the DB and what user's passwords you plan to store.
-
Mahmoud_Rabie wrote:Hello ExpertsI found this article. However, it is old (for 9i)https://oracle-base.com/articles/9i/storing-passwords-in-the-database-9i What are the latest best practices of storing passwords in DB.I would appreciate any helpRegardsMahmoud
password technology has not progressed since V9 Oracle was released.
It is unwise to store passwords as plain text or encrypted strings inside the database.
Depending upon actual requirements & level of liability, consider to utilize actual security "products" such as Oracle Wallet, LDAP, Kerberos, etc.
Two factor security is better than just using passwords.
Which metric measures "best"?
-
EdStevens, rp0428, John
Thanks a lot.
EdStevens wrote:The article itself may be old, but it is still sound. Storing the password as a one-way hash, then verifying presented credentials by using the same hash function and comparing the resulting hash value with what is stored is still exactly how oracle stores its own passwords.The reason the article is "old" is because there has been no reason to "update".
The author said:
I'll present a simple example of this process using the
DBMS_OBFUSCATION_TOOLKITpackage, available in Oracle 8i and Oracle 9i, and theDBMS_CRYPTOpackage, available in Oracle 10g onward.I have one question: Is it possible to use only the latest package DBMS_CRYPTO ?
-
rp0428 wrote:Same as always: DON'T DO IT!The general rule for most things Oracle is don't do something with a valid requirement for doing it.Please tell us WHY you think you need to store passwords in the DB and what user's passwords you plan to store.
I need to build my custom authentication scheme from scratch because Oracle DB is the backed of my hybrid mobile application which is exchanges data with it securely using OAuth2:Client Credentials.
-
John Thorton wrote:password technology has not progressed since V9 Oracle was released.It is unwise to store passwords as plain text or encrypted strings inside the database.Depending upon actual requirements & level of liability, consider to utilize actual security "products" such as Oracle Wallet, LDAP, Kerberos, etc.Two factor security is better than just using passwords.Which metric measures "best"?
Adding such security products might costs and require a lot integration efforts.
So, you prefer Two-Factor security. Please recommend some examples or tutorials .
-
NEVER EVER store passwords in DBs. It's beyond stupid, insanely idiotic. It's wrong on any and every level.
Instead add a salt to any password (a salt is a sequence of bytes which act as a brute force preventer and scupper rainbow table lookups), hash it with a decent bit sized hash algorithm (any SHA-2 is a good choice, see DBMS_CRYPTO) and store the hash and salt in your table. Hashes are one way computer values, they cannot be reversed.
When you need to check a password, do the same again with the entered password and compare computed hash with stored hash, if they match, bingo, the password entered was correct. Easy.
-
Hi Paul
Excellent information. Thanks a lot for that.
Paulzip wrote:NEVER EVER store passwords in DBs. It's beyond stupid, insanely idiotic. It's wrong on any and every level.
That's why this thread is created.
What are the best practices if I needed that? Please take a look at this threads
Secure Retrieval of the Client Credentials from ORDS?
Optimize PL/SQL of LOGIN_TRIAL procedure
Instead add a salt to any password (a salt is a sequence of bytes which act as a brute force preventer and scupper rainbow table lookups), hash it with a decent bit sized hash algorithm (any SHA-2 is a good choice, see DBMS_CRYPTO) and store the hash and salt in your table. Hashes are one way computer values, they cannot be reversed.When you need to check a password, do the same again with the entered password and compare computed hash with stored hash, if they match, bingo, the password entered was correct. Easy.
So, instead of storing the encrypted or obfuscated PASSWD field what about replacing with these fields
<span class="pln" style="font-style: inherit; font-weight: inherit; font-size: inherit; font-family: inherit; color: #303336;">PASSWORD_HASH VARCHAR2</span><span class="pun" style="font-style: inherit; font-weight: inherit; font-size: inherit; font-family: inherit; color: #303336;">(</span><span class="lit" style="font-style: inherit; font-weight: inherit; font-size: inherit; font-family: inherit; color: #7d2727;">512</span><span class="pln" style="font-style: inherit; font-weight: inherit; font-size: inherit; font-family: inherit; color: #303336;"> BYTE</span><span class="pun" style="font-style: inherit; font-weight: inherit; font-size: inherit; font-family: inherit; color: #303336;">),</span><span class="pln" style="font-style: inherit; font-weight: inherit; font-size: inherit; font-family: inherit; color: #303336;"><br/>PASSWORD_SALT VARCHAR2</span><span class="pun" style="font-style: inherit; font-weight: inherit; font-size: inherit; font-family: inherit; color: #303336;">(</span><span class="lit" style="font-style: inherit; font-weight: inherit; font-size: inherit; font-family: inherit; color: #7d2727;">256</span><span class="pln" style="font-style: inherit; font-weight: inherit; font-size: inherit; font-family: inherit; color: #303336;"> BYTE</span><span class="pun" style="font-style: inherit; font-weight: inherit; font-size: inherit; font-family: inherit; color: #303336;">),</span><span class="pln" style="font-style: inherit; font-weight: inherit; font-size: inherit; font-family: inherit; color: #303336;"><br/>PASSWORD_ITERATIONS NUMBER</span><span class="pun" style="font-style: inherit; font-weight: inherit; font-size: inherit; font-family: inherit; color: #303336;">(</span><span class="lit" style="font-style: inherit; font-weight: inherit; font-size: inherit; font-family: inherit; color: #7d2727;">10</span><span class="pun" style="font-style: inherit; font-weight: inherit; font-size: inherit; font-family: inherit; color: #303336;">),</span><span class="pln" style="font-style: inherit; font-weight: inherit; font-size: inherit; font-family: inherit; color: #303336;"><br/>PASSWORD_HASH_METHOD VARCHAR2</span><span class="pun" style="font-style: inherit; font-weight: inherit; font-size: inherit; font-family: inherit; color: #303336;">(</span><span class="lit" style="font-style: inherit; font-weight: inherit; font-size: inherit; font-family: inherit; color: #7d2727;">30</span><span class="pln" style="font-style: inherit; font-weight: inherit; font-size: inherit; font-family: inherit; color: #303336;"> BYTE</span><span class="pun" style="font-style: inherit; font-weight: inherit; font-size: inherit; font-family: inherit; color: #303336;">),</span><span class="pln" style="font-style: inherit; font-weight: inherit; font-size: inherit; font-family: inherit; color: #303336;"><br/>PASSWORD_CHANGED_DT DATE</span>Reference
https://stackoverflow.com/questions/12058356/encrypt-decrypt-password-in-oracle-function
Some reading for you
It is very important. I would read it carefully. Thanks again.
Regards
Mahmoud
-
Yes, the StackOverflow suggestion (with your field list) is a fairly standard approach and a sensible one.
Obfuscated passwords are weak - that "masking" is generally reversible, hackable or crackable. Hashes aren't, it's mathematically impossible to reverse a hash - it's one way only.
-
Oracle has made improvements to user password hashes within Oracle Database 12c. By using a PBKDF2-based SHA512 hashing algorithm, instead of simple SHA1 hash, password hashing is more secure.
Reference
https://www.trustwave.com/Resources/SpiderLabs-Blog/Changes-in-Oracle-Database-12c-password-hashes/
Are there any examples, tutorials and PL/SQL code for hashing users passwords using PKDF2-based algorithm. I would prefer using Oracle packages as much as possible.