Unconventional use for a databasePosted: September 18, 2007
It is known that smart tools are sometimes used for purposes that their inventors never considered. In fact thats one of the reasons we consider these tools smart and well designed. I’m not sure if Codd considered today’s multiple terabyte monsters when he first thought about relational databases, but I am quite sure he never intended the relational database to be used as random string generators.
Storing passwords in the database is a common practice, and Tom Kyte gives a function that hashes the password so they can be kept in the database while keeping them relatively secret. Nice function, but of course thats for pre 8.1.6 databases. We don’t have many of these today, so this solution should be extinct by now. Right.
Years back we were using a very similar solution for keeping passwords in the database. The application originally using this solution is long gone now, but at some point another developer found our digest function and found a unique use for it:
When he creates a new user he will use our hash function to create a complicated looking string and give it to the user as a password. So user Fred got select digest(fred,welcome) from dual as his password. Of course now we can’t keep the hashed value in the database, because it is now the real password. No problem. The developer used a Java library to encrypt the hashed string and store it in the database.
You think this is silly? Imagine what I thought when the application owner of this application dropped by my cube and asked me to use the famous digest function to generate a password for a user he created on a windows machine. Yes, a good old windows user.
I was so amused by this that I didn’t even try to explain to him that this password is just as good as any string he will invent. People are so easily impressed by those horrible strings!