There is an alternative to storing a reversible encrypted version of the password, you can store a hash of it (MD5 or other) then when you receive an incoming password you just hash it with the same formula and compare against the field in your database.
This adds an extra layer of obscurity in that even if someone has retrieved the hash they would still have to brute force the hash to work out what the original password was. I believe you could also mark the field as encrypted in your database, I think that this allows you to still compare against it but not actually retrieve the value (as far as I remember). Steve ----- Original Message ----- From: "Sanford Whiteman" <[EMAIL PROTECTED]> To: "venky" <[EMAIL PROTECTED]> Sent: Tuesday, March 11, 2003 5:49 AM Subject: Re: [IMail Forum] ODBCUSER.dll customization > Venky, > > > We got a strong requirement for encrypting the password stored in > > SQL now but we don't know how to make IMAIL understand the > > encryption logic... > > All of the user management functions are passed the password in > clear-text. What you do with this information on its way to your > database is entirely up to you. > > But--and I know I wrote on this topic relatively recently on the > forum, so you should search the archives--it's an axiom in the > security world that data that must be decrypted without user > intervention is, practically speaking, unencrypted. The moment I own > your mail server, I own all of your passwords, period. I don't care > how they're stored in the external database. > > Perhaps what you should do is actually tell us/me the actual > specifications of your project and how you came to believe that > table-level encryption was a technical requirement. There may be > several unexpected implementations that would serve the same purpose. > (If you can't discuss your project's purposes openly, your specs > probably aren't ready yet!) > > > Can anyone help us customize the ODBCUSER.dll? > > We've developed several custom external auth DLLs for IMail, so you > can contact me off-list to discuss this further. Of course, we'll need > to be absolutely sure of why/what/whether you need in this area, so > continued on-list discussion would still be beneficial. > > > Is there any ODBC drivers available in the market, which can encrypt > > & decrypt and can be used by IMAIL. > > An ODBC driver that automatically encrypts a single column all the way > through to the table (rather than on-the-wire encryption)? Probably no > such thing, though certainly not a necessity with the ODBCUSER.DLL > source available. > > -Sandy > > > ------------------------------------ > Sanford Whiteman, Chief Technologist > Broadleaf Systems, a division of > Cypress Integrated Systems, Inc. > e-mail: [EMAIL PROTECTED] > ------------------------------------ > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
