Unconventional use for a database

It is known that smart tools are sometimes used for purposes that their inventors never considered. In fact thats one of the reasons we consider these tools smart and well designed. I’m not sure if Codd considered today’s multiple terabyte monsters when he first thought about relational databases, but I am quite sure he never intended the relational database to be used as random string generators.

Storing passwords in the database is a common practice, and Tom Kyte gives a function that hashes the password so they can be kept in the database while keeping them relatively secret. Nice function, but of course thats for pre 8.1.6 databases. We don’t have many of these today, so this solution should be extinct by now.  Right.

Years back we were using a very similar solution for keeping passwords in the database. The application originally using this solution is long gone now, but at some point another developer found our digest function and found a unique use for it:

When he creates a new user he will use our hash function to create a complicated looking string and give it to the user as a password. So user Fred got select digest(fred,welcome) from dual  as his password. Of course now we can’t keep the hashed value in the database, because it is now the real password. No problem. The developer used a Java library to encrypt the hashed string and store it in the database.

You think this is silly? Imagine what I thought when the application owner  of this application dropped by my cube and asked me to use the famous digest function to generate a password for a user he created on a windows machine. Yes, a good old windows user.

I was so amused by this that I didn’t even try to explain to him that this password is just as good as any string he will invent. People are so easily impressed by those horrible strings!

Advertisements

3 Comments on “Unconventional use for a database”

  1. starprogrammer says:

    Nice!

    That reminds me that I used to use online Enigma emulator to create passwords that no one could remember.

    BTW, I was really surprised to learn from the article by Kyte that the OBFUSCATION toolkit was limited to DES with fixed key length, which is not really strong encryption.

  2. prodlife says:

    Hi Star,

    According to Oracle documentation DES is the standard encryption in the banking industry, so if it is really bad – we are in deep trouble.

    Also, dbms_obfuscation also supports triple DES which should be significantly better. I’m not sure if this was true when Tom Kyte wrote that article, but it is now.

  3. […] just a simple DBA on a complex production system, is always entertaining. This week she muses on an unconventional use for a database.The Crazy DBA rants on this week wondering Where Have All the DBAs Gone? This amusing and […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s