A simple security question

[Oriane]

Hi,

With Asp.net 2.0, when a internet user logs in with a "login authentication
form", is the password encrypted when it is sent to the server ? Is is
hashed ?

Best regards

 

[darrel]

With Asp.net 2.0, when a internet user logs in with a "login

authentication form", is the password encrypted when it is sent to the
server ?

Via HTTP? No.

Via HTTPS? Yes.

-Darrel

 

[Keith G Hicks]

Darrel didn't answer your questoin fully. You asked hashed or encrypted. My
understanding is that hashed strings can't be unhashed (not meant to be
anyway unless the hash as been cracked). I'm sure HTTPS is encrypting, not
hashing. Passwords or any other data that's sent via HTTPS would have to be
decrypted on the other side. The only way to "un"hash a password is to use
the same salt to hash the one on the other end and see if they match. Not
really unhashing at all. Does that make sense? If I'm wrong, I'm sure
someone will jump in and say so.

 

[Steven Cheng [MSFT]]

Hi Oriane,

Regarding on your question, I think the answer is:

Without using any transport layer security approach(such as SSL/TLS), the
password(just like any other textbox field on page) are send via clear text
without any encrypting or hashing.

If you use basic authentication of HTTP protocol, by default it also only
perform a base64 encoding which is easy to decode. Therefore, if
security(confidentiality) is critical for your case, you should consider
apply SSL/TLS(https) on the login entry.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


--------------------

 

[Oriane]

Hi Keith,

----- Original Message -----
From: "Keith G Hicks" <[email protected]>
Newsgroups: microsoft.public.dotnet.framework.aspnet
Sent: Saturday, September 06, 2008 3:49 PM
Subject: Re: A simple security question

Darrel didn't answer your questoin fully. You asked hashed or encrypted.
My
understanding is that hashed strings can't be unhashed (not meant to be
anyway unless the hash as been cracked). I'm sure HTTPS is encrypting, not
hashing. Passwords or any other data that's sent via HTTPS would have to
be
decrypted on the other side.

I don't agree ! In the sql database, only the hashed password is saved (by
default). So you don't necessarily need to send the clear password if you
hash it with the same algorithm on the client. But in fact you are right, as
Steven says, hashing is performed on the server.

The only way to "un"hash a password is to use
the same salt to hash the one on the other end and see if they match. Not
really unhashing at all. Does that make sense? If I'm wrong, I'm sure
someone will jump in and say so.

Thanks for your answer

 

[Oriane]

Thank you Steven