You could use simple stored procedure that returns 0 if valid and 1 if invalid. You should probably use the CryptoAPI to encrypt the passwords in the database and the call the same CryptoAPI when logging on to the system. The connection used should be generic and only have access to this one login stored procedure. Make sure you revoke all other permissions on the database for this generic user.