Databases Reference
In-Depth Information
4
Authentication and Password Security
In Chapter 1, you learned about secure installations of your database and
that you should fully understand and use the built-in mechanisms within
your database—mechanisms that help you authorize and enforce activities
within your database. However, in order to authorize and enforce, you
must be able to first identify the party that is requesting the action. This
identification process is closely linked to the authentication process—the
process in which the server can prove to itself that the requesting party is
who it claims to be. Authentication and various related topics are the sub-
ject of this chapter.
Authentication forms the basis of any security model, as shown in Fig-
ure 4.1. If you cannot authenticate a user, how can you assign any privi-
leges? The SANS glossary (www.sans.org/resources/glossary.php) defines
authentication as “the process of confirming the correctness of the claimed
identity”—it is the process where an entity provides proof that it is who it is
claiming to be. The issue of identity is separate from authentication, and
several methods are used to define an identity. Methods by which you can
identify a party include the following:
Something that the party knows (e.g., username and password)
Something that the party possesses (e.g., a badge, smart card, or cer-
tificate)
Some biometric attribute that the party has (e.g., fingerprints or a ret-
inal pattern)
The focus of this chapter is on the authentication process, and I will
always use the username/password identity-creating method. Usernames
and passwords are by far the most common methods you will encounter.
Search WWH ::
Custom Search