Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Due to previously poorly designed structure, the current database that I have to work with stores users’ password as text.
Now, I am building a front end part that has to use those passwords and I certainly don’t want to be sending passwords unencrypted.
My idea is to write an Oracle function to encrypt and decrypt text password and use those functions in the stored procedures that will return encrypted data.
What would be the best approach in Oracle to do so?
If you want to write your own functions to encrypt and decrypt data, you would simply want to call the DBMS_CRYPTO
encryptanddecryptmethods with appropriate parameters (i.e. pick your encryption algorithm, your key, etc.).Of course, if you write your own routines, assuming that you store the key in the database or somewhere the database has access to, you’re not doing much for security. It’s bad to send passwords unencrypted over the network but it is generally much worse to store unencrypted passwords in the database (or encrypted passwords if there is a
decryptmethod in the database that has access to the key to decrypt the data). It’s generally a lot easier to steal data from a database than it is to sniff data getting sent over the network in order to find a password.The right answer, of course, would be to rearchitect the system so that you don’t store the passwords at all. You should be storing password hashes (which you can also generate using the
DBMS_CRYPTOpackage) which are non-reversible.