How to protect confidential passwords stored in the database

Question

How to protect confidential passwords stored in the database

I am developing a web application for which end users have to create an account. This part is very simple: I will use my passwords with SHA-256 so that no one except the user knows the password. Now the tricky part. After creating the account, the user must specify the password for his mail server. Now the question is: how can I protect this password decently (the password will be stored in the database)? If I encrypt the password using TripleDES, any developer or system administrator will be able to decrypt the password and see it. What is the usual way to deal with such a problem? Many thanks.

+4

database passwords encryption

j3d Feb 22 '10 at 12:28

source share

1 answer

blowdart · Answer 1 · 2010-02-22T12:35:45+0000

The usual way to do this is to use a symmetric encryption key, which is obtained from the user's password. The standard way to do this is to use the algorithm specified in RFC2898 , which generates a set of cryptographically protected bytes, which you can use as a key and intravenously. This is probably supported by the library for your .NET language, for example, this is what I use, this is the class Rfc2898DeriveBytes .

Of course, when your user changes his password, you will have to decrypt any existing encrypted text, and then output a new key and re-encrypt.

How to protect confidential passwords stored in the database

More articles: