On Fri, Dec 23, 2011 at 4:02 PM, Ed Leafe <[email protected]> wrote: > On Dec 21, 2011, at 5:19 PM, Grigore Dolghin wrote: > >> Bottom line: stick to industry-proven solutions. Every single time. No >> matter if it's storing passwords, or using sql parameters instead >> concatenating the sql and checking for invalid input (this was discussed a >> while ago). Stick to standards and you'll be safe. Try do it on your own, >> sooner or later someone would get thru. It's not "if", it's just "when". > > And on the other side of the security equation, this xkcd clearly > illustrates the better password strategies: > https://www.eff.org/sites/default/files/password_strength.png
And this one shows how useless a good password is: http://xkcd.com/538/ If you're using MSSQL there are a couple of handy functions: Login: SELECT * FROM tblUsers WHERE Username = @Username AND PWDENCRYPT(@Password, Password)=1 Change password: UPDATE tblUsers SET Password = PWDENCRYPT(@password) WHERE UserID = @UserID Although the msdn page it says: PWDENCRYPT is an older function and might not be supported in a future release of SQL Server. Use HASHBYTES instead. HASHBYTES provides more hashing algorithms. -- Paul _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/CADwx0+KZa67jR2DBtXKV7vpodCsbaK58f=SYe=_-2y2j7kd...@mail.gmail.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
