Please start any new threads on our new site at https://forums.sqlteam.com. We've got lots of great SQL Server experts to answer whatever question you can come up with.

 All Forums
 SQL Server 2005 Forums
 Transact-SQL (2005)
 using column named 'password' bad practice

Author  Topic 

mike123
Master Smack Fu Yak Hacker

1462 Posts
Posted - 2008-11-05 : 11:15:02
Hi,

Just wondering, since its a reserved keyword. Is it bad practice to name my column 'password' where I store the users password ?


Thanks!

mike123

SwePeso
Patron Saint of Lost Yaks

30421 Posts
Posted - 2008-11-05 : 11:18:59
You should never store the password in clear text anyway.
Hash the password. Then rename column to PasswordHash.


E 12°55'05.63"
N 56°04'39.26"
Go to Top of Page

Vinnie881
Master Smack Fu Yak Hacker

1231 Posts
Posted - 2008-11-05 : 11:21:26
I typically have named the column password (if someone is looking for the PW table and column in your db, it is not very difficult to find regardless of what you name it, but make sure to properly Hash the password with "Salt" charectors and never just store the password as plain text.

Success is 10% Intelligence, 70% Determination, and 22% Stupidity.
\_/ _/ _/\_/ _/\_/ _/ _/- 881
Go to Top of Page

Vinnie881
Master Smack Fu Yak Hacker

1231 Posts
Posted - 2008-11-05 : 11:22:01
and Peso wins the race again :)

Success is 10% Intelligence, 70% Determination, and 22% Stupidity.
\_/ _/ _/\_/ _/\_/ _/ _/- 881
Go to Top of Page

mike123
Master Smack Fu Yak Hacker

1462 Posts
Posted - 2008-11-05 : 11:42:59
thanks guys, will look into password hashing tonight!

just wondering tho, for an old system, and arguements sake ..

is there anything specifically bad about storing columns named these reserved keywords ? I'm sure its best to avoid but dont have any hard facts.....

thanks again!,
mike123
Go to Top of Page

Vinnie881
Master Smack Fu Yak Hacker

1231 Posts
Posted - 2008-11-05 : 12:05:08
From my understanding, In a properly secured db, no not really.. if someone is able to gain access to any table, they are also able to see the column names in it. It's more important to secure the data rather then the name. If someone was good enough to hack into your db and it was relativly secured properly, it's fairly safe to assume that it wouldn't take them very long to figure out where the PW,UserName,Etc fields are.

Success is 10% Intelligence, 70% Determination, and 22% Stupidity.
\_/ _/ _/\_/ _/\_/ _/ _/- 881
Go to Top of Page
   

Subscribe to SQLTeam.com

SQLTeam.com Articles via RSS

SQLTeam.com Weblog via RSS

- Advertisement -

Resources

Articles

Forums

Blogs

Contact Us

About the Site