Prevent re-use of previously selected passwords
-
Hi Friends,
Have 2 queries and hence was wondering if you could answer them.
1 A form must be designed to prevent users from reusing
passwords that have been used in the last 12 months.
2 Also, since the password is stored in a Oracle table
as plain text, how can we encrypt it ?
Thank You,
Friend -
every time they change their password, put the old one in an array in another field called "old_pwds" or something. then when they're changing, you can loop through that array checking that it's not any of them.....
what are you using to interface your database? is this as part of a web site? so you're using asp/php/cfm/jsp etc.? use a string function for the appropriate language to irreversibly encrypt the password...... make sure it's irreversible otherwise it's pointless
(then when they log in, you irreversibly encrypt it again, and see if the hash just created matches the one stored) -
PS. If you're storing an archive of their passwords, you'll probably have to inform users of that practice in your privacy policy. Reassure them by telling them they're stored securely, in encrypted format so they are 100% inaccessible by you.
-
am using Forms 6i (Develoepr 2000) as an interface.
could not understand irreversible method !
could you explain it once again, please ?
Friend -
for instance, say when i sign up, i choose a password "pussycat"
this is encrypted irreversibly to produce its hash, which using PHP's crypt() function, with default salt, is $1$/9jIldg9$eqkm3uG63RSIq.xigi1j21
Note, this will be EXACTLY the same every time you encrypt the string "pussycat", as long as you use the same method, same variables etc.
Therefore, in the database stuff would be stored like this:
Username: paulfp
Password: $1$/9jIldg9$eqkm3uG63RSIq.xigi1j21
Name: Paul Freeman-Powell
Email: [email protected]
.... etc. etc.
So that's secure, because notice that the password's not being stored as plain text. So if someone finds that, whoopy doo... not much they can do with that, cos it's not "pussycat", and there's no way they can get "pussycat" from that string, cos the encryption method is IRREVERSIBLE.
So when someone logs in, first of all you encrypt the password they've entered, and if it's correct it will be extactly the same as that random gobbeldeegook stored in the database. So let them log in
Hope that's clear, once you've got your head around it, it's a very simple concept really
-
I'm not sure how this would work in Oracle, but in SQL server you could use a trigger, so as a password field was updated a stored procedure is run to copy the old value to another table. You could put this in a transaction and roll it back if the password already existed in the other table and the password could not be changed. I'm sure there must be an equivalent in Oracle.
This would mean that if you ever developed another part of your application that also changed a password, it will always be archived.
Post a reply
Oracle forum discussion
-
Oracle 10 - Web service
by markisun35 (2 replies)
-
VB/DAO Openrecordset won't when using 'Select'...
by nancy86 (2 replies)
-
how can connect and distribute vb.6 with oracle?
by sweetsarao (1 replies)
-
Problem with Oracle Parameter - not getting whole value of parameter
by soumitra_10 (0 replies)
-
DYNAMIC LOV SETUP IN FORMS 6I
by rastaj (1 replies)
Quick links
Recent activity
- arif ahmad replied to How to receive data in web ...
- William Thompson replied to What is the name of the Win...
- Sameera Piyadigamage replied to Point of Sale Developers: H...
- Scott Carline replied to 4 x C# Developers for large...
- Rajendra Dhakal replied to Restore SQL Server text dat...
- cloud rainda replied to How to convert between TS f...
Enter your message below
Sign in or Join us (it's free).