How to verify a password without ever storing a password
Idea is: Instead of storing the password in DB directly, Encrypt a word with password as a key and store it.
Example: SQL400
CREATE OR REPLACE TABLE Security_table for system name MYISERIES
(
Security_id for column C000000001 varchar(100) ALLOCATE(10) not null constraint Security_table_primary_key PRIMARY KEY,
Security_name for column C000000002 varchar(100) ALLOCATE(25) not null,
Password_Encryption for column C000000003 varchar(256) FOR BIT DATA
)
RCDFMT MYISERIESR
;
Let's say the password is MyPWD#01. So you encrypt the word COUNTRY with that as an encryption key and all you are really storing is COUNTRY.
insert into Security_table (
Security_id, Security_name, Password_Encryption)
Values('ID1', 'Test User', ENCRYPT_TDES(varchar('COUNTRY'), 'MyPWD#01'));
Now when user enter the password you pass that as a decryption key to see if it is valid.
Select DECRYPT_CHAR(Password_Encryption, 'MyPWD#01')
from Security_table
where Security_id = 'ID1';
Notes:
Test to see if the user 'ID1' was found'
Test to see if the encryption key was valid by checking the value returned.
If the value returned was not the word COUNTRY the person entered an invalid password.
Or don't let the user know they guessed the userid and return generic error if either is invalid.
No comments:
Post a Comment