snippetMinor
Web Database - How to store user information
Viewed 0 times
userstoredatabasewebhowinformation
Problem
I'm starting to design a database to use in a web solution and would like to understand if there is any benefit to storing passwords (and the rest of the user information for that matter) in a separate table to the table with the user id.
Solution
The one benefit for storing passwords in a separate table, if you have a db that supports this, is you can use a security definer function to read the passwords, and this prevents sql injection or the like from reading it in other queries. Think of it as being like the /etc/shadow file on Linux. Of course this is in addition to salted hashes.
This being said I am of the opinion you should really avoid storing passwords in your database. The less of this sort of thing your app does the less you have to worry about security-wise. Outsource it to OpenID providers, etc. or if it is an intranet app, something like LDAP, AD, or the like.
This being said I am of the opinion you should really avoid storing passwords in your database. The less of this sort of thing your app does the less you have to worry about security-wise. Outsource it to OpenID providers, etc. or if it is an intranet app, something like LDAP, AD, or the like.
Context
StackExchange Database Administrators Q#24061, answer score: 4
Revisions (0)
No revisions yet.