I have a login page in asp.net with the details being stored in the database. In the table at present i am storing the password in plain text field.
Is there any possible for me to store the data in any encrypted format or some format so that no one will be able to view the password.
And while returning back to the webpage i want them in the plain text . . . !
Is there any possibility for this
kindly help at the earliest
thanks in advance
sasidar::Is there any possibility for this
Sure. Just encrypt the data before writing it into the server, decrypt it after reading it.
note, though, that what you do here is NOT safe. Why do you ever want to decrypt the password? Use a hash and compare the hashed values.|||The best solution is to use a one way hash created in ASP.NET code, and then whenever you want to check the entered password you create a hashed copy of the password entered, and then compare it to the hash stored in the database.
private string CreatePasswordHash(string pwd,string salt)
{
string saltAndPwd=string.Concat(pwd,salt);
string hashedPwd=FormsAuthentication.HashPasswordForStoringInConfigFile(saltAndPwd,"SHA1");
return hashedPwd;
}
The salt string is just a string used to ensure that each password when encrypted will be unique (so if two people have a password of "password" the hashes will not be the same.
This way, really no one, not even you as the administrator of teh system, will be able to read the password (this is a good thing). You can of course create a method to reset the password.|||Steve Wyncoop of theSQL Server Worldwide User's Group is ga-ga overXP_CRYPT. I've not used the product, but it looks like it simplifies saving encrypted data to SQL Server.
Don|||Thanks for those who replied me,
But there is one more doubt for me. If i am using the hashing technique then we cannot reveal the password in the plain text format. Suppose if there is a situation where i require the password to known how to get back the plain text format. ?
Through my readings i came to conclusion that it cannot be done. Is it So ? In that case is there any other technique so that i can encrypt the password and then decrypt the password whenever required
Awaiting for the solutions :
Thanks in advance
Sasidar|||You should work out a way that you never need to get to the decrypted password. People often use the same password for lots of things. If a user uses their one password on your site, it is better that even you never be able to get to that password.
In systems I write, we have a system in place where a password can be reset, but we have no way to reverse the one way hash. This way, even if the database is compromised, user's passwords will not be exposed. Your users will appreciate it.|||Thanks for ur reply ,
but still i have a doubt , say suppose my client or user forget his pasword , then what should i do so that i can change the password . If i am going to change contecnts directly into the database then the plain text will be changed and i hope that will not be fine. Is there any solution for this
Awaiting for the solution
Thanks
Bye
Sasidar|||The way tou handle that is to create an administrative page that allows you to reset the password (you have a page that encrypts a default password EXACTLY the same way that your normal password hashing works).|||sorry mr.douglas
i am not able to understand
can u give me more details please
Thanking u
sasidar|||I really can't, without providing all the code to do it, and I do not have time for that.
All you need to do is do the exact same one-way hashing on a default password (for instance, "password") and save that as the users new password, and in some way notify the user of the new password.
This book:
http://www.microsoft.com/mspress/books/6501.asp
has lots of information on how to do this kind of thing.
No comments:
Post a Comment