Security :: Encrypted Password - Sort Of Encryption Or Decryption In Order To Verify The Credentials
Jun 16, 2010
For our website, we have decided we would like to maintain our user passwords as encrypted binary data in our database. We are using ASP.NET 3.5 to host our site and SQL Server Express 2008 for the database, both running on the same server. When a user logs in and submits a username and password, there will need to be some sort of encryption or decryption in order to verify the credentials. To me, it would appear that there are 3 ways to do this:
1)[C# Encyrption] On User creation, perform encryption in the Web App and submit the encrypted password to the database. To verify credentials at Login, perform the same encryption on the submitted password and ensure that it matches the value stored in the database.
2)[SQL Encryption] On User creation, submit the plain-text password to the database and have it perform one of the SQL encryption variants during INSERT. To verify credentials at Login, have the database perform decryption on the password during the SELECT statement, and compare the plain-text submitted password to the one in the database.
3)[Mix] On User creation, submit the plain-text password to the database, and have it perform one of the SQL encryption variants during INSERT. To verify credentials at Login, perform the same encryption algorithm used by SQL on the submitted password ( is this possible? ), and ensure that it matches the value stored in the database.
Does anybody have an opinion as to which of these options is best? Number 1) is the most familiar to me, and would be the easiest to use with LINQ to SQL ( which is our current data model ), so I am leaning towards that. But if there are better options I would love to know about them.
View 3 Replies
Similar Messages:
Jun 9, 2010
I am trying to encrypt/decrypt a file with CAPICOM in javascript. I have to encrypt file with private key and decrypt with public key. But I dont know how to do this with CAPICOM.
View 1 Replies
Mar 13, 2010
This is meant to be easy ...so ive been told, but still cant get it to work!I have a sql database hosted on a shared server which requires the use of sql authentication.As a result I require to encrypt my sensitive data in the config (connection strings etc).I understand that you can do this using aspnet_regiis etc, but ive been told that as I have no direct acccess to the server, I may need to program the encryption.
I have seen a few examples, but as a novice I have been banging away at this, looking at an errors screen most of the time!
View 18 Replies
Aug 24, 2010
I have a Triple DES Key generated by java code from a third party vendor. It is a 3 part key.
We need to use this key in our VB.NET application. When I try to combine this key and use it in my app
'Dim desTransform As ICryptoTransform = desCrypto.CreateEncryptor(EncryptKey(Key), EncryptIV(IV))' gives me an error ' Specified key is not a valid size for this algorithm)
I am new to cryptography and do not understand the algorithms well. How can I use the java generated key in our app for encrypt/decrypt.
View 3 Replies
Mar 4, 2011
I want the encryption and decryption codes in C# for RSA, MD5 and HMAC-SHA1 for generated key.
View 1 Replies
Dec 3, 2010
I am building a web application that is limited to one database, thus I cannot use the handy ASP.NET config tool. I am attempting to use SqlClient to authenticate users from a user table I added to my database. Here is the code I have thus far:
[Code]....
[Code]....
View 5 Replies
May 7, 2015
I was able to encrypt the password and save it in the database but I need to encrypt the password now when the users try to login. For example, user comes and types his/her username and password but the password is already encrypted in the database, how can I decrypt and authenticate the user?
protected void ValidateUser(object sender, EventArgs e)
{
int userId = 0;
string constr = ConfigurationManager.ConnectionStrings["constr"].ConnectionString;
using (SqlConnection con = new SqlConnection(constr))
{
using (SqlCommand cmd = new SqlCommand("Validate_User"))
[code].....
here is the decrypt function
private string Decrypt(string cipherText)
{
string EncryptionKey = "MAKV2SPBNI99212";
byte[] cipherBytes = Convert.FromBase64String(cipherText);
using (Aes encryptor = Aes.Create())
[Code]......
View 1 Replies
Apr 12, 2010
I have a requirement to develop an application in Excel VBA to talk to an MSSQL database.The client wants a login facility for a number of named users - I am going to setup these users in the aspnet tables in my database (aspnet_users, aspnet_membership etc).There is no facility in VBA to do automatic verification of a users credentials like there is in ASP.Net so I have developed a simple login form for the user to enter their username and password and send these to a stored procedure in the database. I am looking for a stored procedure that implements the ASP.Net hashing routine to convert the user supplied password into the same format as the database stored password so I can compare and return a true or false.
View 1 Replies
Jul 15, 2010
I am using a standard implementation of the membership provider. I however, need to compare a supplied password (from a textbox) with a saved encrypted password. This is for a new security policy at work.
[Code]....
View 6 Replies
Jul 7, 2010
For testing I used this:[URL]Encrypts only the password is not encrypted and username.Why not?For security reasons, I would like also to encrypts username.
View 10 Replies
Feb 13, 2010
for maintain security, i encrypted my password and store in database like following
Dim PWD As
String = FormsAuthentication.HashPasswordForStoringInConfigFile(txtPassword.Text.Trim(),
"SHA1").Trim()
but problem is suppose user forget his password and need to know then how can i decrypted the password and send to the user?is there any other suitable way to handle password?
View 4 Replies
Jul 20, 2010
I have a encrpted web.config file. How to decrypt this file. Because I need to update connection string information in that file. So i need to decrypt the existing encrypted config and update the connection string then again I have to encrypt.Did not work below command. getting error(Decrypting configuration section...Failed to decrypt using provider 'RsaProtectedConfigurationProvider'. Error mess
age from the provider: Bad Data.)
aspnet_regiis -pdf "connectionStrings" <physical path of the we b.config file in server>
View 1 Replies
Aug 2, 2010
I want to know how can I protect my password in login & register pages because I am not using .net's Login or CreateUserWizard controls.I want an encryption method for this process e.g. when storing password in the database form the register page and when comparing the password with stored password in database to varify a user in login page.
View 3 Replies
Dec 1, 2010
Just a quick question i've been asked to look at enhancing security but encrypting passwords we store in a db table, essentially the data thats linked to the user account isnt sensitive however its more to stop someone reading passwords out of the table directly etc
I've read multiple ways of implimenting hashing etc i've started using FormsAuthentication.HashPasswordForStoringInConfigFile
//create new salt and update the password
Hashtable newInfo = new Hashtable();
newInfo["salt"] = GenerateFriendlyPassword(5);
string tmppass = FormsAuthentication.HashPasswordForStoringInConfigFile(txtNewPass1.Text.ToString() + newInfo["salt"].ToString(), "SHA1");
newInfo["passwordHash"] = tmppass;
Generate friendly password returns a 5 char string based on a random position in a valid char array containing a - z and 0 - 9At present the functionality is at page level in the code behind, re this is the forms authentication HashPasswordForStoringInConfigFile function thread safe? Or do i need to look at implimenting this in a different wayCheers appreciate your response as im always jubious about multi threading etc,
View 1 Replies
Mar 8, 2011
Can anyone help with best practice for storage of database passwords/connectionstrings for ASP.NET applications? Most tutorials suggest storing the connection string (along with the password) in Web.config. I don't like this solution because the connectionstring is visible to anyone working on the application (although I appreciate it is secured from the consumer). You can use aspnet_regiis to encrypt sections of Web.config, but then surely anyone with access to the web server could easily decrypt it anyway. For an enterprise level application what should I be doing?I could store it in Web.config and encrypt with my own key, but then would that offer any advantage over aspnet_regiis, because the key would have to reside on the web server anyway?
View 1 Replies
May 28, 2010
i need to implement a standard encryption decryption logic across an entire project platform which has different clients implemented using different platforms as follows:
iphone app (objectiv c)
website (classic asp)
webservice (asp.net)
samsung bada app (c++)
the iphone app as well as the website need to send info to webservice using encrypted query strings
the web service then decrypts this and processes the info further
wanted to know the simplest way to achieve this. is there some free and ready to use binary available with an easy to use api to achieve this?
encryption needs to be as secure as possible
edited: currently we use AES on the website and webservice front
View 2 Replies
Mar 8, 2011
I have web.config file and it is encrypted completely and hosted in one server,Now I got one requirement to change admin person mail id. So I need to decrypt the web.config file and update the mail id then encrypt the config file again. Please tell me how to do this using aspnet_regiis -pdf commands?
View 1 Replies
Sep 14, 2010
We are designing a .net web application that has an external and internal site.
Both sites need to encrypt data only the internal site needs to decrypt data.
We are wondering what are the best practices for:
Which encryption method to choose?
Where to store the encryption / decryption key?
View 2 Replies
Mar 18, 2011
I used the following command to encrypt my connection string but an error ocurred,
"The connection name'DatabaseConnectionString1' was not found in the applications configuration or the connection string is empty" How can I encrypt it while keeping the application working? What if I move the encrypted application to another computer? Will it work?
View 1 Replies
Oct 15, 2010
I am passing values through query string. I want to restrict the user to modify the url to get the unauthorized permissions.I want to encrypt the url so that user can not understand and decrypt and use in the code.How can i do this.If there is any method to restrict the user to modify the url,
View 2 Replies
Oct 12, 2010
I am using a custom membership provider with a custom ValidateUser method. The ValidateUser sends and additional parameter to authenticate my users (Username, Password, and Dealer). I created a custom stored procedure for ValidateUser to call. I copied over all my users from another table and encrypted all the passwords in the aspnet_membership table using the code below. My question is, how do I take the password the user enters in the login form and validate that against what is in my aspnet_membership Here is the code I used to encrypt the passwords (not even sure this was the right way to encrypt. Please tell me if I did this wrong):
public static string EncodePasswordNow(string originalPassword)
{
Byte[] originalBytes;
[code]...
View 1 Replies
Feb 8, 2010
Before I continue I'm going to let everybody know that I am not trying to follow a traditional .Net Membership Provider. I'm attemping to write my own Membership Provider which does not extend the default .Net Membership Provider b/c I feel that in areas it can become extremely cumbersome. Please keep this in mind before responding. Also keep in mind that I am trying to learn from this experience, not find an easy solution for some client's application.I am writing a custom membership provider that has password formatting functionality similar to .Net's default membership provider. I'm looking for soe good/easy examples of ways to encrypt/decrypt or hash password values. I previously tried going the RSA route, but got stuck when I had to Import an RSAParameter and was unsure of how to generate a RSAParameter.
I would like to have both Hashing and Encryption available, but only need Encryption. I'm also looking for a very strong encryption. I'm storing the password format in an external .xml file (similar to how the web.config stores the password format for .Net's Membership Provider) which will become manageable from the administrative side of my webapplication.If anybody knows of any existing Encryption libraries that may provide assistance, please feel free to post links. I only ask that they be open source solutions so I can see how they went about doing this.
View 4 Replies
Mar 3, 2011
explain me Secure Socket Layers (SSL) and how it provide the functionality of encryption and decryption of data ?
View 1 Replies
Jan 2, 2010
I have to Encrypt and Decrypt Back the Password field in sql server i have used the pwdencrypt and pwdCompare() but i dont have to compare but i have to display the password back using the Decrypt technique Is there any algorithm which i can use only for encryption and decryption of password field?
View 4 Replies
Dec 20, 2010
[Code]....
View 4 Replies
