>I am working on an application where there are users and roles. The functionality allowed to a user will be determined by their role.
>What's the best way to store user info, ie, UserName, Password? I will want it encrypted, but should all the user data be encrypted in the user table, or just the UserName & password?
>
>Second, assume I have a calendar module and a documents module (for document management). Some users will not have access to each module. What's the best way to set all this up in the data?
>
>Thanks
Only a partial answer
Do not store encrypted passwords in a table - they can be decrypted - and sometimes there is an indication of the length of the password
Instead hash a transformation of the password
A transformation, eg
- reverse the sequence
- append/prepend some chars of the password so that the length > = 32
- encrypt with aes128 or aes 256 CBC with an IV, Key that is derived from the password
hash: eg md5 or sha256
That way (1) Never an indication of the length of the password (2) cannot be decrypted, (3) hash is always the same length and does not depend on the length of the password
Gregory