Storing passwords in database

Discussion in 'ASP .Net' started by VB Programmer, Nov 29, 2004.

  1. I am using SQL Server as the database for my ASP.NET app.

    I have a users table with a password field. What is the best way to encrypt
    it before it goes into the table, then decrypt it to read the value? Any
    sample code or links would be helpful.

    Thanks!
     
    VB Programmer, Nov 29, 2004
    #1
    1. Advertising

  2. VB Programmer

    John M Deal Guest

    You shouldn't encrypt or decrypt it at all. What you should do is create
    a hash of the password value and then store it in the database. The next
    time the user tries to logon you should hash the password they entered
    and compare it to the stored hash, if they are the same then the user
    entered the proper password. This helps prevent anyone with access to
    your database (for legitimate or other wise) purposes from figuring out
    people's passwords (as the hash can not be reversed). You may also
    consider salting the password when hashing it.

    Here's one site with some info:

    http://www.ondotnet.com/pub/a/dotnet/excerpt/ado.netckbk_chap01/?page=2

    others can be located using a search on google for:

    dotnet password hash salt

    Hope this helps.

    Have A Better One!

    John M Deal, MCP
    Necessity Software


    VB Programmer wrote:
    > I am using SQL Server as the database for my ASP.NET app.
    >
    > I have a users table with a password field. What is the best way to encrypt
    > it before it goes into the table, then decrypt it to read the value? Any
    > sample code or links would be helpful.
    >
    > Thanks!
    >
    >
     
    John M Deal, Nov 29, 2004
    #2
    1. Advertising

  3. VB Programmer

    Vaibhav Guest

    Try using .Net Crypto API . it provides the best tested algorithams for
    encryption.


    Try using trusted_connection=true; in the web.config file instead of using
    sql connection string with username and password

    HTH


    "VB Programmer" <Dont*NoSpam-Please*@jEmail.com> wrote in message
    news:...
    >I am using SQL Server as the database for my ASP.NET app.
    >
    > I have a users table with a password field. What is the best way to
    > encrypt it before it goes into the table, then decrypt it to read the
    > value? Any sample code or links would be helpful.
    >
    > Thanks!
    >
     
    Vaibhav, Nov 29, 2004
    #3
  4. I agree with John that hashing is preferable. Most programmers would
    consider it to be the best practice.
    Here's an example for you:
    http://www.aspnetpro.com/NewsletterArticle/2003/04/asp200304so_l/asp200304so_l.asp

    --
    I hope this helps,
    Steve C. Orr, MCSD, MVP
    http://Steve.Orr.net


    "VB Programmer" <Dont*NoSpam-Please*@jEmail.com> wrote in message
    news:...
    >I am using SQL Server as the database for my ASP.NET app.
    >
    > I have a users table with a password field. What is the best way to
    > encrypt it before it goes into the table, then decrypt it to read the
    > value? Any sample code or links would be helpful.
    >
    > Thanks!
    >
     
    Steve C. Orr [MVP, MCSD], Nov 29, 2004
    #4
  5. VB Programmer

    Andy G Guest

    I just finished programming the same thing that you want to do and I used,

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT03.asp

    That's all you will need, follow it step-by-step, by far the most secure
    password handling out there using the SHA-1 type.


    "VB Programmer" <Dont*NoSpam-Please*@jEmail.com> wrote in message
    news:...
    > I am using SQL Server as the database for my ASP.NET app.
    >
    > I have a users table with a password field. What is the best way to

    encrypt
    > it before it goes into the table, then decrypt it to read the value? Any
    > sample code or links would be helpful.
    >
    > Thanks!
    >
    >
     
    Andy G, Nov 29, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jason

    storing`passwords in cookies

    Jason, Dec 29, 2003, in forum: ASP .Net
    Replies:
    1
    Views:
    490
    Cowboy \(Gregory A. Beamer\)
    Dec 29, 2003
  2. toton
    Replies:
    11
    Views:
    721
    toton
    Oct 13, 2006
  3. Jonathan Wood
    Replies:
    1
    Views:
    520
    Jonathan Wood
    Jun 2, 2008
  4. Paul Hadfield

    Accessing Active Directory and Storing Passwords

    Paul Hadfield, Jun 13, 2007, in forum: ASP .Net Security
    Replies:
    1
    Views:
    215
    Joe Kaplan
    Jun 14, 2007
  5. Miranda

    Inserting Random Passwords into Database

    Miranda, Dec 4, 2003, in forum: ASP General
    Replies:
    14
    Views:
    308
    Bob Barrows
    Dec 8, 2003
Loading...

Share This Page