Aug 26 2008
Choosing the length of your database password
Your choice of passwords shows how important the data secured by the password is. If the password for your email account is passw0rd, it means that the data in your email is not important enough (or that you don’t care much about the importance of the data). We all know that it is generally not a good idea to store user passwords in your database in the form of plain text. But in certain cases, you may be compelled to store user passwords directly in the plain text form in the database.
This means that all the user passwords are secured by a single database password. If someone brute forces the database password, he/she can read all the user passwords, and users as we know, are infamous for using the same passwords for most of their accounts everywhere. Thus the attacker can access other accounts of the user elsewhere.
As a developer/ DBA, it is your job to secure the data in your database. One thing you can do is to make the brute forcing of the database password as hard as brute forcing all the passwords in the database. This can be done by choosing the length of your database password wisely.
What should be the length of your database password?
Minimum length of database password = Average length of user passwords contained in the db * log2 (number of user passwords) / 8
For example, if you are storing 1024 passwords of average length 8 characters, your database password should be at least 10 characters in length.
Subscribe
on 26 Aug 2008 at 1:14 pm
personally I see no reason to have db passwords < 50 chars or more. you’ll just save it somewhere anyway, (now that’s the critical part) but they password itself should always be long and untypable, imho.
on 26 Aug 2008 at 1:43 pm
silky,
Thanks for the comment.
My formula will help you to substitute the correct number in place of the arbitrary value - 50.
As an aside, I still miss your blog too much.
on 26 Aug 2008 at 4:00 pm
Hi,
I am Richa from SiliconIndia. I am also an avid blogger for a while now and participating actively in Indian blogosphere. I read your blog posting and found them very interesting and informative. We would love to see a copy of your blogs posted here, whenever you are posting it on blogger.com. Here are some of the benefits of posting your blogs here:
We have a strong community of 500,000 Indian professionals
Best blogs of 2008 to be published in a book “SiliconIndia bLoG PrinT”
Best blog to be printed in SliconIndia & SmartTechie magazines each month
Chance to be featured on homepage everyday
We appreciate your community initiative here and in helping build a more powerful India! Also, if you have any ideas or want to volunteer to help for SiliconIndia, we would be more than excited to get your help. Pls mail me back at richa@siliconindia.com with your suggestions and feedback.
Richa
Blog Editor – SiliconIndia
on 28 Aug 2008 at 1:01 pm
Thanks Niyaz
on 06 Sep 2008 at 11:07 am
You may want to include some explanation, reason, or rationality for you equation to calculate the proper length of a db password. Why is the equation you proposed better than any other? Please explain.
on 06 Sep 2008 at 11:10 am
jakfrost,
The rationale is given in the article:
The equation finds the length of the password that confirms to this requirement.