locked
Encrypt Password RRS feed

  • Question

  • User546194788 posted

    I used encrypt code to save password in a table.
    For example, if user Smith Rice login password is "Pass987$$" will save as "DLMyAdxvqXzOWZB5BuyW1YFR4JftD7jkQP/VHBHPTH8=" after encrypt.
    But IT people said that this is not good enough for security because Smith Rice can copy "DLMyAdxvqXzOWZB5BuyW1YFR4JftD7jkQP/VHBHPTH8=" and replace another user's password and easier to login as typing "Pass987$$"
    Is there another way to void this action?

    Wednesday, November 21, 2018 4:11 PM

All replies

  • User753101303 posted

    Hi,

    Passwords are usually "hashed" ie you can't even retrieve the original value. ASP.NET does have support for handling authenticzation and users (for example "ASP.NET Identity"). I would suggest to use what is provided out of the box rarther than creating your own.

    Wednesday, November 21, 2018 4:29 PM
  • User-821857111 posted

    What he said ^^^

    If you want something really quick to use without having to get involved in the Membership or Identity APIs, you can use the Crypto helper class from System.Web.Helpers. You can get the source code here: https://github.com/aspnet/AspNetWebStack/blob/master/src/System.Web.Helpers/Crypto.cs.

    You can hash passwords for storage using the HashPassword method, and then you can check submitted passwords against the stored hashed version using the VerifyHashedPassword method.

    Wednesday, November 21, 2018 4:39 PM
  • User-37275327 posted

    What about encrypting/decrypting your password with your own key? check this out

    https://forums.asp.net/t/2092209.aspx?How+to+encrypt+and+Decrypt+password+in+asp+net+web+forms

    Thursday, November 22, 2018 2:40 AM
  • User-271186128 posted

    Hi aspfun,

    But IT people said that this is not good enough for security because Smith Rice can copy "DLMyAdxvqXzOWZB5BuyW1YFR4JftD7jkQP/VHBHPTH8=" and replace another user's password and easier to login as typing "Pass987$$"
    Is there another way to void this action?

    You could limit users directly access the database, and just super admin has the permission to access the database.

    If users want to create an account or modify his password, he/she could only do it via your application. Then, in your application, before users insert or modify the password, you could encrypt the password. Thus, though Smith Rice can copy "DLMyAdxvqXzOWZB5BuyW1YFR4JftD7jkQP/VHBHPTH8=", it will be encrypted again.

    Best regards,
    Dillion

    Thursday, November 22, 2018 6:27 AM
  • User1281381861 posted

    As Dillon mentioned you need to restrict database access so that the end user can not modify the values directly via DB.

    There should be one way to modify those values and that should be Web application only.

    Thursday, November 22, 2018 7:08 AM
  • User-821857111 posted

    What about encrypting/decrypting your password with your own key? check this out

    https://forums.asp.net/t/2092209.aspx?How+to+encrypt+and+Decrypt+password+in+asp+net+web+forms

    If you can decrypt a password, it is not secure. This is as bad as storing it in plain text, in my opinion. There should be no need to decrypt a user's password.

    Thursday, November 22, 2018 11:48 AM
  • User-37275327 posted

    Password will be secured as long as the key is secured. else I am on your side.

    Friday, November 23, 2018 1:32 AM
  • User1281381861 posted

    Mike is correct.

    The encrypted/hashed password should be matched exactly what is already present in the database i.e the encrypted/hashed one.

    Friday, November 23, 2018 5:30 AM