Password Encryption in MSSQL itself

[Dave]

So I'm wondering if it's possible to encrypt passwords in MSSQL itself?
MSSQL has got the function "HASHBYTES" to encrypt a string to certain algorithm's.

Example:
SELECT * FROM Login WHERE UserID = 'SuperWaffle' AND Password = HASHBYTES('SHA1', 'somepassword')

Is something like this possible when changing all the Stored Procedures which requires a password?

If it's possible then it means you only need to do a few edits in MSSQL and your website.

Discusszzz.

[MentaL]

[redigaffi]

Its possible.

[Phoenix]

Its possible.

If you say it's possible, why not elaborate? Explain more please.

[Mark]

As far as I know, MatchServer after receiving the login request packet, it calls spGetLoginInfo, which returns the UserID, AID and Password coloumns. MatchServer then proceeds to check them against the values contained in the login packet.

Since the only value passed to spGetLoginInfo is the UserID and the checking is done in MatchServer itself, you'll need to modify something other than the database, as well.

(Assuming I'm right, that is. Feel free to correct me if you know I'm not.)

[Dave]

Alright so the checks if the password is correct are not done in MSSQL itself?
The query in spGetLoginInfo indeed says:
"SELECT AID, UserID, Password FROM Login(nolock) WHERE UserID = @UserID"

Which makes it impossible to add an encryption in it with MSSQL.
That sucks.

[Vusion]

I remember having a login script (PHP) , that uses hash for the password...

There it is :

Code:

<?php
if($_SESSION['Username'] != ''){
	redirect("index.php");
	return false;
}
$username = sql($_POST['username']);
//$password = sql($_POST['password']);
$stay = sql($_POST['stay']);
	$pass = md5($_POST['password']);
	$hash = substr($pass, 0, 8);
	
$check = mssql_query("SELECT * FROM Login WHERE UserID = \"$username\" AND Password = \"$hash\"");
if(mssql_num_rows($check) == 0){
	alert("Username or password is wrong!", "index.php");	
}else{
	$data = mssql_fetch_array($check);
	$_SESSION['Username'] = $data['UserID'];
	$_SESSION['AID'] = $data['AID'];
	
	$select = mssql_query("SELECT * FROM Account WHERE UserID = \"$username\"");
	$faszom = mssql_fetch_array($select);
	$path = $faszom['ExePath'];
	$_SESSION['ExePath'] = $path;
	
	redirect("index.php");	
}
?>

[Touchwise]

There were more DB's and webs with a encryption in it before it's possible but i ain't sure if you need to change other stuff also

[gago117]

Linear used some password encryption at his server before.

[Nayr438]

You would have to add the encryption to either match-server.exe or GunZ.exe.
It can be hashed at the client and sent to match-server or it can be hashed at match-server upon receiving the packet. Personally its simpler to add it to match-server.