I want the login password to not be sent in plaintext (due to the risk of hijacking). I know that this can be achieved in principle using MD5 or the like, but is there a common implementation for use with Asp.Net? Of course, it's crucial that the resulting hash (?) isn't easy to decrypt. When I read various posts on this matter, some people say it's just to do a reverse on the encrypted string, so that in effect, this is totally useless.
I have been killing myself over this for a couple weeks now and cannot find a viable solution. Here's my scenario:
I have a DTSX package that imports user data from an external database. It then creates user accounts and profiles in the local database. Users can also be created via a custom ASP.NET Membership Provider. The provider must be able to authenticate both types of users.
This was all fine and dandy during development because passwords were stored as clear text. However, now that we're ready for release the passwords format of the provider must be set to encrypted and so the users created via the DTSX must be created with an encrypted password. (I'd prefer the passwords were hashed but the client's requirements are that passwords be recoverable). The real problem seems to be creating an encrypted password within the DTSX that will be decryptable by the ASP.NET Membership Provider.
My original solution was to have the DTSX call a CLR stored procedure that had access to the same encryption logic as the provider. I got it working but our client wouldn't enable CLR integration. So that's out the window. Now I'm investigating alternatives. One alternative is to simply use the built-in encryption methods of T-SQL. But how do I share the keys used for the encryption/decryption?
My question is, is it possible to generate a password in T-SQL, say using EncryptByKey, that will also be decryptable by my provider? This means that the key in SQL must match the key in my machineKey configuration.
found while searching for help on my asp.net application.I have a small application with connected to a SQL database. As it was so small, and contained very little data of any importance, i had set it up with Clear passwords.Now i have been asked to expand the database considerably, and encrypted passwords are now required. I can easily modify the web.config so all future users are set up with encrypted passwords. But is there any way to change all existing users passwords to be stored encrypted?
I'm using ASP.NET membership for a site that will serve primarily sophisticated users. I understand the difference between hashed and encrypted passwords, and I'm trying to decide between the two.After my last client complained bitterly about hashed passwords being a total PITA, I've started to favor encrypted passwords. But someone suggested this just isn't secure enough.So my question is: What, exactly are the risks of encrypting passwords? Any person with the ability to steal passwords by decrypting them from the database would surely have the ability to reset them if they were hashed, no? I'm having trouble seeing where someone could cause trouble with encrypted passwords but couldn't with hashed ones. Making it convenient for users is also important.
I seem to be having some difficulty working out how to encrypt the user's password at the time they register for an account. To ensure that I am storing the password securely, I would like to be able to encrypt the password before it is inserted into the database.
When the user logs in I can then encrypt their password at log in time and compare this to the encrypted password in the database, meaning that the password in the database never needs decrpyting.
My issue today is that i have a MySQL Database and am using the security framework provided by the ASP.NET Membership and Role Providers...I override the default methods with my own MySQL.
Now the issue comes in when i someone would like to have their password reset. My application is running entirely on an Intranet so i cannot have their passwords emailed to them. Is there a way i can have this information displayed in any way so that the user can use it to Log Reset, Create Accounts or Recover their lost passwords on an intranet without the administrators intervention?
Recently i had an approach as follows. In my web.config<system.net><mailSettings><smtp deliveryMethod="pickupDirectoryLocation" and my location was a folder on C drive as c:/SavedPasswords. Now i understand this was such a big security threat and thats why i am looking for a better option.
I would have that folder created using my System.IO and then the Mail is dropped into that folder. Then after the process is successful, i tell the user to check into that location and Read its content.
Then there is a global variable that is set to true...meaning that the folder at c:/ has been created. then there is a Method in a certain class that once it sees this variable True, it reads the readers c:/ and deletes that folder "save" if it exists;
I have a small database, with a very small number of users. The passwords were stored as clear as the database was so small and held no sensitive data. The database is now to be expanded and passwords are required to be encrypted. I can change the Password Format in the web.config, but is there a way to change the existing passwords from clear to encrypted?
Having spent considerable amount of time in ASP.NET security community I would like to share this.
There are three ways of resetting and changing passwords explained at
Microsoft ASP.NET site[URL]
Step 1: Helping Users Recover Lost Passwords Step 2: Changing Passwords Step 3: Allowing Administrators to Change Users' Passwords
In step 1 and step 2 end user passwords are sent by an email.
In Step 3: functionality is explained where administror changing the password and sending through email msg. refer "I encourage those readers interested in this functionality to become more familiar with the code and try extending the functionality to include sending an email to the user whose password was changed. Query
Is Sending passwords by emial secure enough or best security password at all? I have implemented functionality where Admin sending passwords to end users by changing once in 3 months. End users expressed their views that sending passwords by email is not secure. When there is security threat in sending passwords by email, Microsoft security experts should not emailing passwords in above mentioned article, which is still up to date.
I have been trying to encrypt password and found a code which is working with Access fine but as i have changed to SQL it is not decoding the encrypted text.. it amazes me..this SQl code is not letting me log on..
I am wondering how to encrypt the below information in the "web.config" file of the "Account" folder (where we have the secured pages):
[Code]....
My issue here is that even after I compiled my application (using "aspnet_compiler -v /reports c: eports"), the information inside the web.config file of the Account folder still not encrypted, and I want to publish my site to the customer server. So, since this server is a customer server, then they can access this "web.config" file and change our web-application security behaviour (correct me if I am wrong). Basically, I don't want the customer to even have access to our secured pages when they access our web-application using the web browser. How to solve this issue?
I have created an x590 certificate that is in the file : "C:UsersmartinAppDataRoamingMicrosoftSystemCertificatesMyCertificates"
I am trying to acces the public key to encrypt some plain text.
The system is throwing an "System.ArgumentOutOfRangeException" at the line
Dim certificate As X509Certificate2 = certificateCollection(0)
Can anyone tell me where I am going wrong or tell me another way to access the public key
................................................. This is the complete code: Imports System.Security Imports System.Security.Cryptography.X509Certificates Imports System.Security.Cryptography.X509Certificates.X509Certificate2 Imports System.Security.Cryptography.Pkcs Partial Class encryptwithcertificare Inherits System.Web.UI.Page Protected Sub Button1_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles Button1.Click Dim encoding As UTF8Encoding = New UTF8Encoding Dim cleartext As String = Textbox1.Text Dim myStore As X509Store = New X509Store() myStore.Open(OpenFlags.ReadOnly) Dim certificateCollection As X509Certificate2Collection = myStore.Certificates.Find(X509FindType.FindBySubjectName, "bobby", True) Dim certificate As X509Certificate2 = certificateCollection(0) Dim code() As Byte = EncryptwithCertificate(cleartext, certificate) Label1.Text = Convert.ToBase64String(code) End Sub Shared Function EncryptwithCertificate(ByVal cleartext As Byte, ByVal certificate As X509Certificate2) As Byte() Dim encoding As UTF8Encoding = New UTF8Encoding Dim cleartextsbyte() As Byte = encoding.GetBytes(cleartext) Dim contentinfo As ContentInfo = New ContentInfo(cleartextsbyte) Dim envelopedCms As EnvelopedCms = New EnvelopedCms(contentinfo) Dim recipient As CmsRecipient = New CmsRecipient(certificate) envelopedCms.Encrypt(recipient) Return envelopedCms.Encode() End Function End Class
I have a webApplication in which i want to encrypt the data using Public key and whan it reach to the destination webapplication it will decrypted there with corresponding private key . Is there is any way to creating this pair of key?
I want to encrypt the password entered by the user....how do i go about it?is there any built-in function for it or will i be required to write a code for it?
I have been looking at ways of encrypting querystrings and I have found a few good examples.. but, I just want some clarification on what is most often referred to as the EncryptionKey and the characters that are in that key....Is there basically an unlimited number of alphanumeric combinations that could be used in the following code as the encryption key, is there anything that someone should be CAREFUL about including in that key?
using System.Security.Cryptography; private static string EncryptionKey = "!#$a54?3"; /// other examples: "r0b1nr0y" ///in a try-catch: key = System.Text.Encoding.UTF8.GetBytes(EncryptionKey.Substring(0, 8)); DESCryptoServiceProvider des = new DESCryptoServiceProvider(); inputByteArray = Convert.FromBase64String(Input);
I have been trying to change a users password, I have been using this code
[Code]....
I do not get an error during the try routine, but my problem comes that when the user goes it insert their new password (using login Control) it says that the password is wrong.. and they then can't login using either their new or old password.
All Password critria is met, web.config if set so passswordQuestion = false
I have an asp.net page where I have used FormsAuthentication.HashPasswordForStoringInConfigFile. Encrypted password is saved in database. I have created a forgotPassword page. Where I need to send user his password. How can I decrypt it and send it to user. if SHA1 can not be decryoted what other option should I use to encrypt the passwords?
I have written a couple methods that encrypt and decrypt the appSettings section of my web.config file using the WebConfigurationManager. I just hooked up the methods to the page_load event to test that it works, which it does. Now I need to deploy to a web farm and need advice. What is the best way to make it so I can encrypt, but more importantly decrypt the web.config when I need to? I thought about putting a hidden page with "encrypt" and "decrypt" buttons, but that seems risky. What is the "accepted" method for rolling out something like this?
I have a problem hopefully someone out there will steer me in the right direction.
I have a web application that I am going to put on a standalone cd - currently the data is "Safe" because the database is in in the app folder and the code is located in the codebehind.
My problem is i'm putting this on a CD as a standalone site, anyone can access the database, or find the XML....
Is there a way to generate an encrypted Database / XML Page, that is complied with the CD, that the program can decrypt and access with a embedded key?
I need to store passwords provided by the user. Yes, passwords. I could not use Hashes because I need to supply the password to another external service for authentication, and therefore I need to have the password.
What is the best and most secure way to store the passwords? As the external data provides private data it is of course very important that the password in my MS SQL DB is stored as safe as possible.
I'm looking to create my application as secure as possible. Now I have following line of code:
[Code]....
As you can see, my password is in plain-text in the code. Now, I presume it's easy to decompile a code using a tool and getting your hands on the password. Since these are my AD Admin-credentials this is not that good.The AuthenticationTypes are secure, I think. They encrypt the data before sending it to the network.So there's just the problem of the plain-text password. I've searched for it on Google but can't find the proper solution. I've found alot about encrypting passwords in the web.config.
I've created a website with users and passwords and such for authentication.When a user is created through the "administer website" function of asp.net 4.0 where are the passwords stored? Is there a way to manually change passwords in the database?