Using password hints with value-level encryption

Db2 can store encryption password hints to help with forgotten encryption passwords. Each password hint uses 32 bytes in the encrypted column.

About this task

For value-level encryption, the password hint is set with the ENCRYPT keyword. The GETHINT function returns the password hint.

Recommendation: Use host variables instead of literal values for all passwords and password hints. If the statements contain literal values for passwords and password hints, the security of the encrypted data can be compromised in the Db2 catalog and in a trace report.

Example

Suppose that you want the application from the previous example to use a hint to help customers remember their passwords. The application stores the hint in the host variable pswdhint. For this example, assume the values 'Tahoe' for userpswd and 'Ski Holiday' for pswdhint. The application uses the following statement to insert the customer information: Begin general-use programming interface information.
INSERT INTO CUSTOMER (CCN, NAME) 
  VALUES(ENCRYPT(:cardnum, :userpswd, :pswdhint), :custname);
End general-use programming interface information.

If the customer requests a hint about the password, the following query is used:

Begin general-use programming interface information.
SELECT GETHINT(CCN) INTO :pswdhint FROM CUSTOMER WHERE NAME = :custname;
End general-use programming interface information.

The value for pswdhint is set to 'Ski Holiday' and returned to the customer. Hopefully the customer can remember the password 'Tahoe' from this hint.