locked
JWT password validation question RRS feed

  • Question

  • User-1104215994 posted

    Hello guys,

    I have an asp.net web API. I implemented a token authentication that I am trying to validate user name and password from the database. I am new to JWT so I need your advice.

    Here are my questions;

    1. Should I encrypt username and password in my database?
    2. The client sends the username and password in the request body, Should the client send them in the header? And should they be encrypted?

    Best Regards.

    Sunday, March 3, 2019 6:09 PM

Answers

  • User475983607 posted

    I have an asp.net web API. I implemented a token authentication that I am trying to validate user name and password from the database. I am new to JWT so I need your advice.

    I recommend that you set aside time to learn standard practices which you can learn by going through many of the tutorials in this site.  Also learn JWT.

    https://jwt.io/

    1. Should I encrypt username and password in my database?

    No.  Passwords are hashed and username are stored in plain text.

    2. The client sends the username and password in the request body, Should the client send them in the header?

    Commonly username and password are submitted in the HTTP message body.

    And should they be encrypted?

    Yes, always use TLS (HTTPS).

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Sunday, March 3, 2019 10:13 PM

All replies

  • User475983607 posted

    I have an asp.net web API. I implemented a token authentication that I am trying to validate user name and password from the database. I am new to JWT so I need your advice.

    I recommend that you set aside time to learn standard practices which you can learn by going through many of the tutorials in this site.  Also learn JWT.

    https://jwt.io/

    1. Should I encrypt username and password in my database?

    No.  Passwords are hashed and username are stored in plain text.

    2. The client sends the username and password in the request body, Should the client send them in the header?

    Commonly username and password are submitted in the HTTP message body.

    And should they be encrypted?

    Yes, always use TLS (HTTPS).

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Sunday, March 3, 2019 10:13 PM
  • User-1104215994 posted

    Is there any asp.net web <g class="gr_ gr_3 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="3" data-gr-id="3">api</g> 2 tutorial about storing hash+salt on DB and comparing user password by hashing with salt?

    Monday, March 4, 2019 6:57 PM
  • User475983607 posted

    Is there any asp.net web api 2 tutorial about storing hash+salt on DB and comparing user password by hashing with salt?

    Yes, there are many examples that you can find by doing a basic internet search. 

    https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/consumer-apis/password-hashing?view=aspnetcore-2.2

    I recommend using the APIs that come with ASP.NET like Identity rather than rolling your own.

    Monday, March 4, 2019 7:22 PM