Using password hints with value-level encryption (deprecated)

Password hints are only supported with the deprecated ENCRYPT_TDES function. The recommended ENCRYPT_DATAKEY function uses key labels instead of passwords and does not support password hints.

About this task

Tip: Password hints are only available with the deprecated ENCRYPT_TDES function. For better security, use the ENCRYPT_DATAKEY function instead, which uses key labels managed through ICSF rather than passwords. For more information, see ENCRYPT_DATAKEY scalar function and .

For value-level encryption using the deprecated ENCRYPT_TDES function, the password hint is set with the ENCRYPT keyword. The GETHINT function returns the password hint.

Recommendation: Use host variables instead of literal values for all passwords and password hints. If the statements contain literal values for passwords and password hints, the security of the encrypted data can be compromised in the Db2 catalog and in a trace report.

Example

Suppose that you want the application from the previous example to use a hint to help customers remember their passwords. The application stores the hint in the host variable pswdhint. For this example, assume the values 'Tahoe' for userpswd and 'Ski Holiday' for pswdhint. The application uses the following statement to insert the customer information: Begin general-use programming interface information.

Begin general-use programming interface information.

INSERT INTO CUSTOMER (CCN, NAME) 
  VALUES(ENCRYPT(:cardnum, :userpswd, :pswdhint), :custname);

End general-use programming interface information.

If the customer requests a hint about the password, the following query is used:

SELECT GETHINT(CCN) INTO :pswdhint FROM CUSTOMER WHERE NAME = :custname;

The value for pswdhint is set to 'Ski Holiday' and returned to the customer. Hopefully the customer can remember the password 'Tahoe' from this hint.