I need to understand if we don't store actual password in our database because of security reason. We normally store one-way encrypted passwords. Now if this is true, and we wan't to change the password how does some of the well known web-sites figure out that new password is very close or partially matching old password and they prompt us to change it. For that to happen they will have to store old password somewhere or two way encrypted password which could be decrypted again.
There are two possibilities:
Normally when you change your password, you are first required to type in your old password to confirm that you are you. The site could be temporarily keeping that old password in memory so that it can compare your old password to your new one.
When you type in your new password, it can be checking if the hash of number of simple modifications to it maps to the hash of your old password.
For example, if you type in your new password as "password7", then the site may be doing a number of checks such as the following:
password_hash( "password0", old_salt ) == value stored in database?
password_hash( "password1", old_salt ) == value stored in database?
password_hash( "password2", old_salt ) == value stored in database?
password_hash( "password3", old_salt ) == value stored in database?
password_hash( "password4", old_salt ) == value stored in database?
password_hash( "password5", old_salt ) == value stored in database?
password_hash( "password6", old_salt ) == value stored in database?
password_hash( "password7", old_salt ) == value stored in database?
password_hash( "password8", old_salt ) == value stored in database?
password_hash( "password9", old_salt ) == value stored in database?
This would be really, really slow if they used a proper password hashing algorithm (such as bcrypt or scrypt), but I would not be surprised if this is actually done in some implementations.
Of course, there is also the third possibility that the stupid website never hashed your password in the first place!
Related
How can I delete data from a table in my database? For example, put a syntax where
delete from table_users where users or password or email or name = "perico"
Here is a trick you can use with a tuple:
DELETE
FROM table_users
WHERE 'perico' IN (users, password, email, name);
Note: If you are actually storing plain text in your password column then you should stop and instead read about hashing and salting passwords. Clear text passwords in a database are a huge security risk.
I'm having some trouble understanding SQL Azure password validation (in local SQL it works, just not CREATE USER command, but CREATE LOGIN command). Anyway this is user creation statement:
This one works:
CREATE USER [test1] WITH PASSWORD = 'testicus2019!'
This one failes with "Msg 40632, Level 16, State 3, Line 6
Password validation failed. The password does not meet policy requirements because it is not complex enough.":
CREATE USER [test_1] WITH PASSWORD = 'testicus2019!'
I understand that passwords must not contain usernames, but this is not the case in any of the statements. Does SQL on Azure break usernames with underscore in it? Where could I find such information?
As mentioned the second case works with local SQL, just using CREATE LOGIN command.
print ##version on Azure SQL returns "12.0.2000.8", if it's relevant.
You mentioned correctly here 'Passwords cannot contain single quotes, or the login_name.'.
So there is a catch in your case.
In the first statement, the username is entire 'test1' which cannot be exactly found in password 'testicus2019!', so it would allow us to create it.
However in 2nd statement, the username is anything before or after underscore. In your case 'test_1' is checked just for 'test' in password 'testicus2019!'.
As another example, if we try creating '[test_demo]' user with any of passwords 'testicus2019!' or 'demoicus2019!', it would not work. However if creating a password like 'password2019!', then it will work.
I am defining a new table where a column suppose to store name of the logged in user. How to grab logged in user name as default value for a column? Is it possible out of the box ?
You can use SYSTEM_USER variable to fill that.
I would recommend using ORIGINAL_LOGIN in case there is some impersonation going on. It will always get the user name that initiated the connection.
ORIGINAL_LOGIN
SYSTEM_USER
Hello I wonder if there is way to disable repeating value in SQL Server 2012. I don't want several people to have the same login. As a primary key I am using ID. Should I change primary key from ID to Login ?
Declare the login to be unique.
Or, equivalently, create a unique index on login:
create unique index table_login on table(login);
First off, you should never store a password as plain text in the database. Store an encrypted string if the password must be recoverable, but better yet store a salted hash of the password.
You could enforce your rule by creating a unique constraint on the Login column.
I'm trying to write a script for a web portal (APEX) that allows a user to change their password on the associated database that they select
I'm trying to write a pl/sql procedure that I can execute over a database link to change the password on that database.
I guess what I am asking is can I connect as a different user within a PL/SQL block and run alter user identified by from within that block?
CREATE OR REPLACE PROCEDURE CHPWD
(
Database IN VARCHAR2
, Username IN VARCHAR2
, old_pw IN VARCHAR2
, new_pw IN VARCHAR2
) AS
BEGIN
/* Something like conn Username/old_pw here
then
alter username identified by new_pw */
END CHPWD;
Thanks!
The standard approach would be to have the procedure owned by a highly privileged user who can change any password, grant execute on the procedure to the users who should be able to execute it, and place logic in the procedure to implement security restrictions.
I believe the main issue is authenticating the user's password before changing it. I do not think there is a secure method to do this though - the best way to confirm the password would be to, as in your comment, login to the database with it. That requires passing the password to an external script though which would reveal your plain text password to anyone with access to the system.
The other method would be to take the algorithms that people have used to duplicate Oracle's password hashing algorithm - but this is effectively hacked together and liable to be changed:
http://www.petefinnigan.com/weblog/archives/00001097.htm