A simple security question

Discussion in 'ASP .Net' started by Oriane, Sep 5, 2008.

  1. Oriane

    Oriane Guest

    Hi,

    With Asp.net 2.0, when a internet user logs in with a "login authentication
    form", is the password encrypted when it is sent to the server ? Is is
    hashed ?

    Best regards
     
    Oriane, Sep 5, 2008
    #1
    1. Advertising

  2. Oriane

    darrel Guest

    > With Asp.net 2.0, when a internet user logs in with a "login
    > authentication form", is the password encrypted when it is sent to the
    > server ?


    Via HTTP? No.

    Via HTTPS? Yes.

    -Darrel
     
    darrel, Sep 5, 2008
    #2
    1. Advertising

  3. Darrel didn't answer your questoin fully. You asked hashed or encrypted. My
    understanding is that hashed strings can't be unhashed (not meant to be
    anyway unless the hash as been cracked). I'm sure HTTPS is encrypting, not
    hashing. Passwords or any other data that's sent via HTTPS would have to be
    decrypted on the other side. The only way to "un"hash a password is to use
    the same salt to hash the one on the other end and see if they match. Not
    really unhashing at all. Does that make sense? If I'm wrong, I'm sure
    someone will jump in and say so. :)


    "Oriane" <> wrote in message
    news:#...
    > Hi,
    >
    > With Asp.net 2.0, when a internet user logs in with a "login

    authentication
    > form", is the password encrypted when it is sent to the server ? Is is
    > hashed ?
    >
    > Best regards
    >
     
    Keith G Hicks, Sep 6, 2008
    #3
  4. Hi Oriane,

    Regarding on your question, I think the answer is:

    Without using any transport layer security approach(such as SSL/TLS), the
    password(just like any other textbox field on page) are send via clear text
    without any encrypting or hashing.

    If you use basic authentication of HTTP protocol, by default it also only
    perform a base64 encoding which is easy to decode. Therefore, if
    security(confidentiality) is critical for your case, you should consider
    apply SSL/TLS(https) on the login entry.

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead


    Delighting our customers is our #1 priority. We welcome your comments and
    suggestions about how we can improve the support we provide to you. Please
    feel free to let my manager know what you think of the level of service
    provided. You can send feedback directly to my manager at:
    .

    ==================================================
    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

    ==================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.


    --------------------
    >From: "Oriane" <>
    >Subject: A simple security question
    >Date: Fri, 5 Sep 2008 17:27:55 +0200


    >Hi,
    >
    >With Asp.net 2.0, when a internet user logs in with a "login

    authentication
    >form", is the password encrypted when it is sent to the server ? Is is
    >hashed ?
    >
    >Best regards
    >
    >
     
    Steven Cheng [MSFT], Sep 8, 2008
    #4
  5. Oriane

    Oriane Guest

    Hi Keith,

    ----- Original Message -----
    From: "Keith G Hicks" <>
    Newsgroups: microsoft.public.dotnet.framework.aspnet
    Sent: Saturday, September 06, 2008 3:49 PM
    Subject: Re: A simple security question


    > Darrel didn't answer your questoin fully. You asked hashed or encrypted.
    > My
    > understanding is that hashed strings can't be unhashed (not meant to be
    > anyway unless the hash as been cracked). I'm sure HTTPS is encrypting, not
    > hashing. Passwords or any other data that's sent via HTTPS would have to
    > be
    > decrypted on the other side.

    I don't agree ! In the sql database, only the hashed password is saved (by
    default). So you don't necessarily need to send the clear password if you
    hash it with the same algorithm on the client. But in fact you are right, as
    Steven says, hashing is performed on the server.

    > The only way to "un"hash a password is to use
    > the same salt to hash the one on the other end and see if they match. Not
    > really unhashing at all. Does that make sense? If I'm wrong, I'm sure
    > someone will jump in and say so. :)


    Thanks for your answer
     
    Oriane, Sep 8, 2008
    #5
  6. Oriane

    Oriane Guest

    Thank you Steven
     
    Oriane, Sep 8, 2008
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?QW5keQ==?=

    Simple security question

    =?Utf-8?B?QW5keQ==?=, Mar 1, 2005, in forum: ASP .Net
    Replies:
    4
    Views:
    331
    =?Utf-8?B?QW5keQ==?=
    Mar 1, 2005
  2. Aaron
    Replies:
    1
    Views:
    389
    John C. Bollinger
    Aug 4, 2003
  3. Marco
    Replies:
    1
    Views:
    2,459
    Roedy Green
    Jan 28, 2006
  4. Software Expert

    simple security related question

    Software Expert, Nov 7, 2005, in forum: ASP .Net Web Services
    Replies:
    0
    Views:
    115
    Software Expert
    Nov 7, 2005
  5. Maria
    Replies:
    1
    Views:
    126
    Curt_C [MVP]
    Aug 20, 2003
Loading...

Share This Page