I am using a standard implementation of the membership provider. I however, need to compare a supplied password (from a textbox) with a saved encrypted password. This is for a new security policy at work.
[Code]....
For testing I used this:[URL]Encrypts only the password is not encrypted and username.Why not?For security reasons, I would like also to encrypts username.
View 10 Repliesfor maintain security, i encrypted my password and store in database like following
Dim PWD As
String = FormsAuthentication.HashPasswordForStoringInConfigFile(txtPassword.Text.Trim(),
"SHA1").Trim()
but problem is suppose user forget his password and need to know then how can i decrypted the password and send to the user?is there any other suitable way to handle password?
For our website, we have decided we would like to maintain our user passwords as encrypted binary data in our database. We are using ASP.NET 3.5 to host our site and SQL Server Express 2008 for the database, both running on the same server. When a user logs in and submits a username and password, there will need to be some sort of encryption or decryption in order to verify the credentials. To me, it would appear that there are 3 ways to do this:
1)[C# Encyrption] On User creation, perform encryption in the Web App and submit the encrypted password to the database. To verify credentials at Login, perform the same encryption on the submitted password and ensure that it matches the value stored in the database.
2)[SQL Encryption] On User creation, submit the plain-text password to the database and have it perform one of the SQL encryption variants during INSERT. To verify credentials at Login, have the database perform decryption on the password during the SELECT statement, and compare the plain-text submitted password to the one in the database.
3)[Mix] On User creation, submit the plain-text password to the database, and have it perform one of the SQL encryption variants during INSERT. To verify credentials at Login, perform the same encryption algorithm used by SQL on the submitted password ( is this possible? ), and ensure that it matches the value stored in the database.
Does anybody have an opinion as to which of these options is best? Number 1) is the most familiar to me, and would be the easiest to use with LINQ to SQL ( which is our current data model ), so I am leaning towards that. But if there are better options I would love to know about them.
I am using the below post to encrypt and decrypt the password.
ENCRYPT POST
Now my code is working for Encryption. But now what I want is,
When I am using Forgot passwprd functionality, I want to send the decrypted password to the respective user in the Email.
In my database table the password is saved in the Encrypted format.
I have the code decrypt code from the above mentioned post, the question is where to place in the below code so that it will decrypt it properly
Here is my code:-
protected void btnSubmit_Click(object sender, EventArgs e) {
DataSet ds = new DataSet();
using (SqlConnection conn = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["DefaultCSRConnection"].ConnectionString)) {
conn.Open();
[Code] ....
I want to know how can I protect my password in login & register pages because I am not using .net's Login or CreateUserWizard controls.I want an encryption method for this process e.g. when storing password in the database form the register page and when comparing the password with stored password in database to varify a user in login page.
View 3 RepliesI need to send password encrypted email in C# -how hard is this to do ?, and how to do it ...??Do you nee SSL certificate or not ?I know how to send normal emails becuase i did it already but not encrypted emailsIf you have personal experience , then tell me the how.
View 3 RepliesI have trouble using this encrypting and decrypting password
Refer here: [URL] ....
I am working on document storage and retrieval application. In which i display the pdf document as an png image , but i have a email button on the top. On clicking that the user would be able to provide an email address to which the document needs to be sent, and I need to send this pdf as an attachment. I need to password protect the file for security reasons. I have no clue on how i can do this in asp.net mvc.
View 2 RepliesEven with https enabled, you can write a password to the event log in code-behind. Any way to keep that password encrypted in code while you're checking it against a data store?
(using Login control)
(couldn't add comment to Andrew's answer, so I'm putting it here)
NTLM uses the username/password of the machine the user is logged into right? For this, I was thinking using ActiveDirectory on the server as the data store. It would have a diferrent un/pw than what the user is currently signed in to their machine as.
I'm using ASP.NET 3.5 and Visual Studio 2008 C#.
I'm creating a website and currently making tests for registration. I've manage to create a registration form in the web site and save what the user inputs in the textboxes into a sql server 2008 database.
One of the fields is Password. What I want know is how do you save the password into the database but the database stores it encrypted. That way I'm just able to see the password encrypted. Then when I make a log-in form how to validate the password input by the user with the encrypted one and give a succesful login.
Coding is not working for Making Password Field Encrypted in sql
View 1 RepliesI can recover my password but when I try to change my password to something a bit easier to remember it gives me:
Password incorrect or New Password invalid. New Password length minimum: 7. Non-alphanumeric characters required: 1.
I was able to encrypt the password and save it in the database but I need to encrypt the password now when the users try to login. For example, user comes and types his/her username and password but the password is already encrypted in the database, how can I decrypt and authenticate the user?
protected void ValidateUser(object sender, EventArgs e)
{
int userId = 0;
string constr = ConfigurationManager.ConnectionStrings["constr"].ConnectionString;
using (SqlConnection con = new SqlConnection(constr))
{
using (SqlCommand cmd = new SqlCommand("Validate_User"))
[code].....
here is the decrypt function
private string Decrypt(string cipherText)
{
string EncryptionKey = "MAKV2SPBNI99212";
byte[] cipherBytes = Convert.FromBase64String(cipherText);
using (Aes encryptor = Aes.Create())
[Code]......
i'm having a problem with symmetric key and certificate. the issue is, this database i'm using now is restored from a different source and ever since, i've been having problem regarding the symmetric key or certificate the error message i'd get from the aspx web pages would be "Please create a master key in the database or open the master key in the session before performing this operation" yes i did open the master key
[Code]....
reading on the web ive found the code below; i wonder if an encrypted string using this block generates an unique result or if different encrypted sources can result in the same crypted array:
private static TripleDES CreateDES(string password)
{
MD5 md5 = new MD5CryptoServiceProvider();
TripleDES des = new TripleDESCryptoServiceProvider();
des.Key = md5.ComputeHash(Encoding.Unicode.GetBytes(password));
des.IV = new byte[des.BlockSize / 8];
return des;
}
So if i encrypt connectionstrings and sections, how will i get their values inside my code?I don't want to decrypt the web.config, i just want to read the encrypted values.There must be a class.Maybe something from ConfigurationManager?I don't suppose it's automatically decrypted?
View 4 RepliesI've taken over a website which has around 3000 users registered using the standard asp.net membership provider on a SQL database. When the website was set up there were a lot of gaps in the system and we have a lot of tidying up to do of users with the same email addresses etc and invalid addresses so i'm just starting to look at how i can wrap all of this up and make administering the user accounts easier.
At the moment the account passwords are stored in "Hashed" format set in the web.config and obviously this doesn't allow for password retrieval. I want to know whether there is a way of converting all of these passwords from a hashed format to an encrypted format thus allowing me to create a password recovery page that doesn't then send the user a new password which is quite often something like "a*ns7#<3lx"
Ideally i'd like to convert all of these if that is possible so that I do a much simpler password retrieval system. If this is not possible can you tell me how i go about setting the passwordreset value not to contain all sorts of non-alpha/numberic characters?
I am using Forms Authentication in a new ASP.NET 3.5 Application.I have created the Tables in my database and run the Web Site Administration Too.When I try to create a user I get a password error no matter what I throw at it and I am becoming sure of that this is a symptom of an a setup error and not a password problem.One of the things that I notice is that my aspnet_Applications is empty and I am not sure what is supposed to fill it.I have tried to delete all the aspnet tables and done the procedure again but with the same result.
View 1 RepliesI using change password control, how can i change the password without enter the current password?
View 8 RepliesI had been trying to solve this but there is a hidden key i wish someone point me to.
I had a simple membership database with users in first the Membership Provider configured for clear password to retrieve the original password .
Now a new requirement say that the password must be hashed and reset .
I configure the Membership password to hash , and Implemented the Reset Password Module.
My problem is as follow.
If the user is new registered user with the new configuration the password and the security answer is hashed.
also when I go and reset the password it continue to be hashed.
Now I thought that with new configuration if any previous user with clear text configuration , If he use the password Reset module , because my configuration now is hashed , I expected that the new password and security answer will be hashed . what happen is old user continue in clear text even if the configuration is hashed. so If I had new users everything is fine.
old users Membership Provider somehow know they had been stored in clear text and it keep change password and security answer in clear text . If I delete this user and create it , Membership Provider understand that everything will be hashed. I need to know how it know this , I need to migrate users not to delete and recreate users .
Also if there are no solution for that , I wish Microsoft Consider it in future cause it is a real user scenario, that can happen imagine a business system that related to membership user Id , deleting users and recreate them is not a solution .
I just begin creating a website for an organization. First page to be displayed in the login page. I dont have any knowledge in ASP.NET Security. On Login page, i want to display UserName field as disabled with the useralias of the user who currently logged into Windows. Password user has to provide and it should be that user's windows password.
How do i validate that password that user has entered is his windows password?
I am developing a shopping cart with asp.net and sqlexpress. I am using aspnet authentication components to create a backend page. I designed the site to let in only authorized users in.
Yesterday, I forget my password to login to backend and asked system recover my password. with recover password of the asp.net I was able to receive the temp password. I took that and logged in, of course asp.net forward me to password change component which I am having problem with.
Every time I change my password , password change shows that I was successfull but after clicking on the continiue button password change component comes back. I went to properties of password change component and entered the main default page as destination but it is not helping.
I close the IE clear the cache , even restart the machine. When I login always taking me to the password change page.
Is there a way to assign a value to the password and confirm password fields of the CreateUserWizard control programmatically when the page loads? The CreateUserWizard.Password property is read-only.
View 3 RepliesI would like to encrypt the password and store it in DB. And if user forgots the password and request for password i have to send him a dummy password to his mail id how can i implement this if any code available At the time of registration i have to encrypt or salt the password and save it to DB..
View 1 Replies