hii all;
My question is from 2 sections:
1- Is it secure to put user accounts (userName and password ...) on the database?
2- How can I set username and password for SQL server 2005 express file?
Thanks
Hi Abdul-Rahman,
"1- Is it secure to put user accounts (userName and password ...) on the database?"
Actually, the fact that you have concerns about storing the passwords in the database show that it isn′t secure :-) In my past project with SQL Server 2000, I always used a encryption function in the middle tier which encrypted the password, send the encrypted text to SQL Server which did the comparison of the stored and send encrypted password. So the logic and the security layer was on the middle tier. In SQL Server 2005 there are more security enhancements like enryption of data:
http://www.databasejournal.com/features/mssql/article.php/3483931
AFAIK, there is no password on the database file. If you have access to attach the database file you are free to attach it, but as somebody has another opinion or facts about that, I would be glad to hear that.
HTH; Jens Suessmeyer.
|||(1) You can protect information in various ways. But to decide how secure your protection scheme is you should provide additional information: how do you use that information and against whom you are trying to protect it?
(2) What file are you referring to? Please provide additional information.
Thanks
Laurentiu
Hi all;
First, my application is based on storing some data about customers, and I hope to make something to prevent anyone from opening or connecting to the database directly and watching or editing its data, but instead, specific users can enter an application that can deal with data in tables.
I think there's a way, because I see some where connection string that has something like: "... username=someUser ... password=pw..."
and I think this means the program enters the password to enter the DB.
"(2) What file are you referring to? Please provide additional information"
SQL2005 Express File, which ends with .mdf extension.
Thanks
|||
(1) SQL Server can do the authentication for you, which means you don't have to store passwords in a table and process them yourself. See Books Online, the topics on creating logins and users (CREATE LOGIN, CREATE USER). SQL Server 2005 stores SHA1 hashes of the SQL login passwords and the hashes are only visible to system administrators. If you use Windows authentication, no password is stored in the server. Books Online has more information on this:
http://msdn2.microsoft.com/en-us/library/ms130214.aspx
(2) There is no password for mdf files. If you store sensitive information in the database, you should look at the encryption features. To protect the mdf file, you should restrict access to it in Windows.
Thanks
Laurentiu
No comments:
Post a Comment