Forum Stats

  • 3,770,127 Users
  • 2,253,073 Discussions
  • 7,875,336 Comments

Discussions

Best practices of storing passwords in DB

Mahmoud_Rabie
Mahmoud_Rabie Cloud Solution Architect,Member Posts: 3,216 Bronze Crown
edited Jul 5, 2017 7:34PM in SQL & PL/SQL

Hello Experts

I found this article. However, it is old (for 9i)

https://oracle-base.com/articles/9i/storing-passwords-in-the-database-9i

What are the latest best practices of storing passwords in DB.

I would appreciate any help

Regards

Mahmoud

Tagged:
Mahmoud_RabieHemant K ChitaleKalpataruuser9294681

Best Answer

  • Paulzip
    Paulzip Member Posts: 8,494 Blue Diamond
    edited Jul 5, 2017 3:53AM Accepted Answer

    PBKDF2 is a better algorithm for hashing passwords because it is deliberately functionally slow to compute (when compared to say SHA-2, which is a quick algorithm), this counters brute force attacks, where the attacks typically try millions or billions of attempts. That slower algorithm coupled with scales of magnitude, makes it very safe.

    I've used PBKDF2 outside of Oracle, but wasn't aware it was available in 12c. The same basic principles apply as mentioned in my previous posts.

    Mahmoud_RabieMahmoud_Rabie
«1

Answers

  • EdStevens
    EdStevens Member Posts: 28,533 Gold Crown
    edited Jul 4, 2017 7:08PM
    Mahmoud_Rabie wrote:Hello ExpertsI found this article. However, it is old (for 9i)https://oracle-base.com/articles/9i/storing-passwords-in-the-database-9i What are the latest best practices of storing passwords in DB.I would appreciate any helpRegardsMahmoud

    The article itself may be old, but it is still sound.  Storing the password as a one-way hash, then verifying presented credentials by using the same hash function and comparing the resulting hash value with what is stored is still exactly how oracle stores its own passwords.

    The reason the article is "old" is because there has been no reason to "update".

    Mahmoud_RabieMahmoud_RabieHemant K Chitale
  • Unknown
    edited Jul 4, 2017 7:09PM
    What are the latest best practices of storing passwords in DB.

    Same as always: DON'T DO IT!

    The general rule for most things Oracle is don't do something with a valid requirement for doing it.

    Please tell us WHY you think you need to store passwords in the DB and what user's passwords you plan to store.

    Mahmoud_RabieMahmoud_Rabie
  • John Thorton
    John Thorton Member Posts: 14,493 Silver Crown
    edited Jul 4, 2017 7:11PM
    Mahmoud_Rabie wrote:Hello ExpertsI found this article. However, it is old (for 9i)https://oracle-base.com/articles/9i/storing-passwords-in-the-database-9i What are the latest best practices of storing passwords in DB.I would appreciate any helpRegardsMahmoud

    password technology has not progressed since V9 Oracle was released.

    It is unwise to store passwords as plain text or encrypted strings inside the database.

    Depending upon actual requirements & level of  liability, consider to utilize actual security "products" such as Oracle Wallet, LDAP, Kerberos, etc.

    Two factor security is better than just using passwords.

    Which metric measures "best"?

    Mahmoud_RabieMahmoud_Rabie
  • Mahmoud_Rabie
    Mahmoud_Rabie Cloud Solution Architect, Member Posts: 3,216 Bronze Crown
    edited Jul 4, 2017 7:31PM

    EdStevens, rp0428, John

    Thanks a lot.

    EdStevens wrote:The article itself may be old, but it is still sound. Storing the password as a one-way hash, then verifying presented credentials by using the same hash function and comparing the resulting hash value with what is stored is still exactly how oracle stores its own passwords.The reason the article is "old" is because there has been no reason to "update".

    The author said:

    I'll present a simple example of this process using the DBMS_OBFUSCATION_TOOLKIT package, available in Oracle 8i and Oracle 9i, and the DBMS_CRYPTOpackage, available in Oracle 10g onward.

    I have one question: Is it possible to use only the latest package DBMS_CRYPTO ?

  • Mahmoud_Rabie
    Mahmoud_Rabie Cloud Solution Architect, Member Posts: 3,216 Bronze Crown
    edited Jul 4, 2017 7:34PM
    rp0428 wrote:Same as always: DON'T DO IT!The general rule for most things Oracle is don't do something with a valid requirement for doing it.Please tell us WHY you think you need to store passwords in the DB and what user's passwords you plan to store.

    I need to build my custom authentication scheme from scratch because Oracle DB is the backed of my hybrid mobile application which is exchanges data with it securely using OAuth2:Client Credentials.

  • Mahmoud_Rabie
    Mahmoud_Rabie Cloud Solution Architect, Member Posts: 3,216 Bronze Crown
    edited Jul 4, 2017 7:39PM
    John Thorton wrote:password technology has not progressed since V9 Oracle was released.It is unwise to store passwords as plain text or encrypted strings inside the database.Depending upon actual requirements & level of liability, consider to utilize actual security "products" such as Oracle Wallet, LDAP, Kerberos, etc.Two factor security is better than just using passwords.Which metric measures "best"?

    Adding such security products might costs and require a lot integration efforts.

    So, you prefer Two-Factor security. Please recommend some examples or tutorials .

  • Paulzip
    Paulzip Member Posts: 8,494 Blue Diamond
    edited Jul 4, 2017 8:02PM

    NEVER EVER store passwords in DBs.  It's beyond stupid, insanely idiotic.  It's wrong on any and every level.

    Instead add a salt to any password (a salt is a sequence of bytes which act as a brute force preventer and scupper rainbow table lookups), hash it with a decent bit sized hash algorithm (any SHA-2 is a good choice, see DBMS_CRYPTO) and store the hash and salt in your table.  Hashes are one way computer values, they cannot be reversed.

    When you need to check a password, do the same again with the entered password and compare computed hash with stored hash, if they match, bingo, the password entered was correct.  Easy.

    Some reading for you

    Mahmoud_RabieMahmoud_Rabie
  • Mahmoud_Rabie
    Mahmoud_Rabie Cloud Solution Architect, Member Posts: 3,216 Bronze Crown
    edited Jul 4, 2017 8:34PM

    Hi Paul

    Excellent information. Thanks a lot for that.

    Paulzip wrote:NEVER EVER store passwords in DBs. It's beyond stupid, insanely idiotic. It's wrong on any and every level.

    That's why this thread is created.

    What are the best practices if I needed that?  Please take a look at this threads

    Secure Retrieval of the Client Credentials from ORDS?

    Optimize PL/SQL of LOGIN_TRIAL procedure

    Instead add a salt to any password (a salt is a sequence of bytes which act as a brute force preventer and scupper rainbow table lookups), hash it with a decent bit sized hash algorithm (any SHA-2 is a good choice, see DBMS_CRYPTO) and store the hash and salt in your table. Hashes are one way computer values, they cannot be reversed.When you need to check a password, do the same again with the entered password and compare computed hash with stored hash, if they match, bingo, the password entered was correct. Easy.

    So, instead of storing the encrypted or obfuscated PASSWD field what about replacing with these fields

    <span class="pln" style="font-style: inherit; font-weight: inherit; font-size: inherit; font-family: inherit; color: #303336;">PASSWORD_HASH VARCHAR2</span><span class="pun" style="font-style: inherit; font-weight: inherit; font-size: inherit; font-family: inherit; color: #303336;">(</span><span class="lit" style="font-style: inherit; font-weight: inherit; font-size: inherit; font-family: inherit; color: #7d2727;">512</span><span class="pln" style="font-style: inherit; font-weight: inherit; font-size: inherit; font-family: inherit; color: #303336;"> BYTE</span><span class="pun" style="font-style: inherit; font-weight: inherit; font-size: inherit; font-family: inherit; color: #303336;">),</span><span class="pln" style="font-style: inherit; font-weight: inherit; font-size: inherit; font-family: inherit; color: #303336;"><br/>PASSWORD_SALT VARCHAR2</span><span class="pun" style="font-style: inherit; font-weight: inherit; font-size: inherit; font-family: inherit; color: #303336;">(</span><span class="lit" style="font-style: inherit; font-weight: inherit; font-size: inherit; font-family: inherit; color: #7d2727;">256</span><span class="pln" style="font-style: inherit; font-weight: inherit; font-size: inherit; font-family: inherit; color: #303336;"> BYTE</span><span class="pun" style="font-style: inherit; font-weight: inherit; font-size: inherit; font-family: inherit; color: #303336;">),</span><span class="pln" style="font-style: inherit; font-weight: inherit; font-size: inherit; font-family: inherit; color: #303336;"><br/>PASSWORD_ITERATIONS NUMBER</span><span class="pun" style="font-style: inherit; font-weight: inherit; font-size: inherit; font-family: inherit; color: #303336;">(</span><span class="lit" style="font-style: inherit; font-weight: inherit; font-size: inherit; font-family: inherit; color: #7d2727;">10</span><span class="pun" style="font-style: inherit; font-weight: inherit; font-size: inherit; font-family: inherit; color: #303336;">),</span><span class="pln" style="font-style: inherit; font-weight: inherit; font-size: inherit; font-family: inherit; color: #303336;"><br/>PASSWORD_HASH_METHOD VARCHAR2</span><span class="pun" style="font-style: inherit; font-weight: inherit; font-size: inherit; font-family: inherit; color: #303336;">(</span><span class="lit" style="font-style: inherit; font-weight: inherit; font-size: inherit; font-family: inherit; color: #7d2727;">30</span><span class="pln" style="font-style: inherit; font-weight: inherit; font-size: inherit; font-family: inherit; color: #303336;"> BYTE</span><span class="pun" style="font-style: inherit; font-weight: inherit; font-size: inherit; font-family: inherit; color: #303336;">),</span><span class="pln" style="font-style: inherit; font-weight: inherit; font-size: inherit; font-family: inherit; color: #303336;"><br/>PASSWORD_CHANGED_DT DATE</span>

    Reference

    https://stackoverflow.com/questions/12058356/encrypt-decrypt-password-in-oracle-function

    Some reading for you

    It is very important. I would read it carefully. Thanks again.

    Regards

    Mahmoud

  • Paulzip
    Paulzip Member Posts: 8,494 Blue Diamond
    edited Jul 4, 2017 8:49PM

    Yes, the StackOverflow suggestion (with your field list) is a fairly standard approach and a sensible one.

    Obfuscated passwords are weak - that "masking" is generally reversible, hackable or crackable.  Hashes aren't, it's mathematically impossible to reverse a hash - it's one way only.

    Mahmoud_RabieMahmoud_Rabie
  • Mahmoud_Rabie
    Mahmoud_Rabie Cloud Solution Architect, Member Posts: 3,216 Bronze Crown
    edited Jul 4, 2017 10:46PM

    Oracle has made improvements to user password hashes within Oracle Database 12c. By using a PBKDF2-based SHA512 hashing algorithm, instead of simple SHA1 hash, password hashing is more secure.

    Reference

    https://www.trustwave.com/Resources/SpiderLabs-Blog/Changes-in-Oracle-Database-12c-password-hashes/

    Are there any examples, tutorials and PL/SQL code for hashing users passwords using PKDF2-based algorithm. I would prefer using Oracle packages as much as possible.

This discussion has been closed.