none
Not Storing Password in Database [C#.net 2.0] RRS feed

  • Question

  •  

     

    Hi

     

    i have critical requirement, with my C#.net programming

     

    i am usng C#.net 2.0 database sql server 2005,

     

    the requirement is i should store the password in database, and also the way password is stored in memory i should gues or track this requirement i need to do using c#.net 2.0 coding

     

    it is possible if it possible please help give a sample code or suggestion

     

    it is very urgent

     

    kinds regards

    se

    Thursday, November 29, 2007 8:39 AM

All replies

  • What exactly is ur problem??
    Thursday, November 29, 2007 9:45 AM
  • Problem is

     

    Password should not store in database only the username should store

     

    and password should store some where else apart from database in memory or somewhere else

    which password cannot guess where it stored this is for security reason from client reqirement

    i am using c#.net 2.0 and database 2005 sql

     

    is it possible to do this in dotnet

     

    Thursday, November 29, 2007 9:56 AM
  • Well i dont know why you dont want to save password in DB,
    You can easily stored in DB with encrypted form.


    If you still want to save this info in some where else then try to save your info in some encrypted file may text or xml.
    I prefere for encrypted xml file.
    but again there is possiblity that some can delete this file.
    else is up to you.


    As per my knowledge no program is 100% safe.



    ++++++++++++++++++++++++++++
    Exception are always there.
    Thursday, November 29, 2007 10:04 AM
  • Maybe that helps:
    http://www.15seconds.com/issue/000217.htm

    To store the password in the database is very common and secure. (if done with cautiouness)
    Thursday, November 29, 2007 10:50 AM
  • Personally i don't like to store passwords (encrypted or not)... I prefer to store hashes of them...   And whenever the user provides credentials, i'll calculate the hash of the provided password.. .And compare it with the hash in my database...

    This way, even when a malicous hacker gets access to my database, he will not know the original password. This advantage also means that it's impossible to "recover" a password (but generating a new one should be a convenient workaround...))
    Thursday, November 29, 2007 12:25 PM
  • Hello timvw,
    Can you please give me a link of how to
    "hash the provided password.. .And compare it with the hash with database..."
    Its will so kind of you.


    Thanks.
    Thursday, November 29, 2007 12:39 PM
  • A simple websearch for ".net hash password" will return more than enough examples...
    Thursday, November 29, 2007 1:25 PM
  • Hi,

    Storing hashes is the way to go.  Salting the password is also a must-have if the security requirements are high:

    Here's some sample code:

    Code Block

      /// <summary>
      /// http://blog.stevex.net/index.php/c-code-snippet-creating-an-md5-hash-string/
      /// </summary>
      class CHashLib
      {
        // Create an md5 sum string of this string
        static public string GetMd5Sum(string str)
        {
          // First we need to convert the string into bytes, which
          // means using a text encoder.
          Encoder enc = Encoding.Unicode.GetEncoder();

          // Create a buffer large enough to hold the string
          byte[] unicodeText = new byte[str.Length * 2];
          enc.GetBytes(str.ToCharArray(), 0, str.Length, unicodeText, 0, true);

          // Now that we have a byte array we can ask the CSP to hash it
          MD5 md5 = new MD5CryptoServiceProvider();
          byte[] result = md5.ComputeHash(unicodeText);

          // Build the final string by converting each byte
          // into hex and appending it to a StringBuilder
          StringBuilder sb = new StringBuilder();
          for (int i = 0; i < result.Length; i++) {
            sb.Append(result[i].ToString("X2"));
          }

          // And return it
          return sb.ToString();
        }
      }



    The whole process should look like this. A better salt should include non-typable bytes such as char > 128.  With the scheme below the username must not be changed without changing the password.

    public User CreateUser(string username, string password)
    {
        User usr = new User(username);
        usr.PasswordHash = GetMD5Hash(password + "⌠Θ╙" + GetMD5Hash(username));
        return usr;
    }

    To check the password you do the reverse:

    public bool IsPasswordValid(string username, string password)
    {
        User usr = User.GetByUsername(username);
        bool result = false;
        if (usr != null) {
            result = usr.PasswordHash == GetMD5Hash(password + "⌠Θ╙" + GetMD5Hash(username))
        }
        return result;
    }

    This should get you started. Hope this helps,
    Charles
    Friday, November 30, 2007 2:24 AM