('binary' encoding is not supported, stored as-is) In-Reply-To: <20020805211834.GA11783@i-u.de> Hi, In addition to securing the password in transit (which is very important) one must not forget to secure it when it is stored in the DB. I am not familiar with Oracle specifics, but the following general guidelines apply to any DB: - Never store the application password in cleartext. Ideally one stores the hash of the password and compares the hash of the input password with the one stored in the DB. - Take special care not to log the application password in any debug or error logs. This can totally compromise all other security measures you have taken. - Ensure minimum privileges and proper access control as regards the DB itself. If the DB is open to all then the passwords stored in the DB are liable to be compromised - Ensure a strong root password for the DB, and make sure that the runtime code uses a non-privileged user for operation. - Consider not only your passwords, but passwords which you may use for external web services or third party software interfaces. HTH, Arvind Shyamsundar Brainbench MVP - Internet Security
This archive was generated by hypermail 2b30 : Wed Aug 07 2002 - 09:31:16 PDT