Security :: Is There A In Built Function To Hash Passwords
Apr 22, 2010Is there a in built function in ASP.NET to hash passwords??
View 5 RepliesIs there a in built function in ASP.NET to hash passwords??
View 5 RepliesI am tasked with a project to convert words from strings to numbers . I have to do this while ensuring collision-avoidance. i.e training -> 10232323
We are storing the numbers in a database and when we retrieve the records from the database, we will reverse hash and convert the number back to a string
10232323 -> training
As you might have guessed - this is not an area that I am familiar with. I researched the overridable System.Object.GetHashCode() method, but Microsoft warns that there is little guarantee that the default implementation of GetHashCode() avoids collisions.
So I am left stuck. I would like to create an algorithm, but I have no idea where to start.
Also, the function should accept unicode characters - in the event the company decides to internationalize.
Hopefully someone knows a way to fix this issue, but here is my problem. I need to be able to recreate a md5 hash that will be the equivalent of the hash that php would generate.
The encoding I have tried is listed below. None of these will produce the same values.
UnicodeEncoding
UTF7Encoding
UTF8Encoding
UTF32Encoding
My issue today is that i have a MySQL Database and am using the security framework provided by the ASP.NET Membership and Role Providers...I override the default methods with my own MySQL.
Now the issue comes in when i someone would like to have their password reset. My application is running entirely on an Intranet so i cannot have their passwords emailed to them. Is there a way i can have this information displayed in any way so that the user can use it to Log Reset, Create Accounts or Recover their lost passwords on an intranet without the administrators intervention?
Recently i had an approach as follows. In my web.config<system.net><mailSettings><smtp deliveryMethod="pickupDirectoryLocation" and my location was a folder on C drive as c:/SavedPasswords. Now i understand this was such a big security threat and thats why i am looking for a better option.
I would have that folder created using my System.IO and then the Mail is dropped into that folder. Then after the process is successful, i tell the user to check into that location and Read its content.
Then there is a global variable that is set to true...meaning that the folder at c:/ has been created. then there is a Method in a certain class that once it sees this variable True, it reads the readers c:/ and deletes that folder "save" if it exists;
I have a small database, with a very small number of users. The passwords were stored as clear as the database was so small and held no sensitive data. The database is now to be expanded and passwords are required to be encrypted. I can change the Password Format in the web.config, but is there a way to change the existing passwords from clear to encrypted?
View 1 RepliesI've a pre-supplied public function in classic asp that creates a hash value - it is pretty complex and I'd rather not convert it to .net if at all possible (mainly as I don't understand half of what it does!) I'm running it under IIS7 on VWD2008 express. How would you call a function in that asp file? do you have to redirect or as it is #included into the asp.net file, is there an eaiser way? At the moment the complier does not spot the function and says it is not declared.
View 2 RepliesI'm trying to optimize my ASP.NET thumbnailing script, so it doesn't resize all the images all the time, and one part of the problem is choosing the hash function for the thumbnail naming/checking procedure.Is crc32 up to the task - I'm asking cause the input data is small(only relative path, size and date)?
View 1 RepliesI need to create a hash key on my tables for uniqueness and someone mentioned to me about md5. But I have read about checksum and binary sum; would this not serve the same purpose? To ensure no duplicates in a specific field.
How can implement this? do I need to write code in my vb application which populates the tables with stored procedures or can I do this from SQL server 2005 studio express?
Having spent considerable amount of time in ASP.NET security community I would like to share this.
There are three ways of resetting and changing passwords explained at
Microsoft ASP.NET site[URL]
Step 1: Helping Users Recover Lost Passwords
Step 2: Changing Passwords
Step 3: Allowing Administrators to Change Users' Passwords
In step 1 and step 2 end user passwords are sent by an email.
In Step 3: functionality is explained where administror changing the password and sending through email msg. refer "I encourage those readers interested in this functionality to become more familiar with the code and try extending the functionality to include sending an email to the user whose password was changed. Query
Is Sending passwords by emial secure enough or best security password at all? I have implemented functionality where Admin sending passwords to end users by changing once in 3 months. End users expressed their views that sending passwords by email is not secure. When there is security threat in sending passwords by email, Microsoft security experts should not emailing passwords in above mentioned article, which is still up to date.
I'm trying to add a IsImage property that I wrote myself to the HttpPostedFile class, so that if a user is uploading a file, I can do something like this:FileUpload1.PostedFile.IsImageHow can I do that in C#?
View 1 RepliesI need to pass some info to a 3rd party (for tracking) and they require I provide a checksum value which is an md5 hashed amalgamation of some of the other values. This is my code :
[Code]....
They keep rejecting my checksum. When I have tested for the following value passed in preConvert - 300265215063.79 I get :
My code gives : ED4463C84DE9D21B54C4E62F2D72CE
An online MD5 hash gives : 0ed40463c84de9d21b54c4e62f2d72ce
Which apart from the case, is exactly the same apart from missing 2 zeroes.
i m trying to change my password. the password in database is in hash formatting. the class FormsAuthentication. is using for hash conversion. the password is indicating the same in if condition. but after if applying it suddenly go on else part , even the value on if condition is same.
View 2 RepliesI am here to generate a unique pin no of fixed length. All my previously generate pin no are stored in database and i want newly generated pin no to be unique.
I want to combine serial no and custom key and generate unique pin no.
i am encrypting textbox value in md5 using this coding and passing as querystring , and on other page i want to decrypt.....
[code]....
I am rewriting my PHP website into C# .NET, and I need to be able to set the algorithm used by the CreateUserWizard / Membership Provider to SHA1 so that I can port all of the user accounts over without having to force them all to reset their passwords when this project is complete. At current glance it doesn't look like it is using SHA-1, and my Googlefoo is failing me.
View 1 RepliesI am trying to encrypt my passwords and store in database..i want to know which is the latest one..
View 2 RepliesI have been trying to change a users password, I have been using this code
[Code]....
I do not get an error during the try routine, but my problem comes that when the user goes it insert their new password (using login Control) it says that the password is wrong.. and they then can't login using either their new or old password.
All Password critria is met, web.config if set so passswordQuestion = false
I have an asp.net page where I have used FormsAuthentication.HashPasswordForStoringInConfigFile. Encrypted password is saved in database. I have created a forgotPassword page. Where I need to send user his password. How can I decrypt it and send it to user. if SHA1 can not be decryoted what other option should I use to encrypt the passwords?
View 5 RepliesI want the login password to not be sent in plaintext (due to the risk of hijacking). I know that this can be achieved in principle using MD5 or the like, but is there a common implementation for use with Asp.Net? Of course, it's crucial that the resulting hash (?) isn't easy to decrypt. When I read various posts on this matter, some people say it's just to do a reverse on the encrypted string, so that in effect, this is totally useless.
View 6 RepliesI have to make changes to some existing web applications at work to bring them inline with a new security policy.
I am using the framework 3.5 and am using the standard sql membership provider for user authentication.
When a user is changing his password, I want to prevent him using previously used passwords. What is the best and easiest way to go about this?
I was thinking a SQL table with the following columns, my problem was do I handle encryption here as they are old?
dbo.OldUserPasswords
UserID, GUID, NOT NULL, FK Reference to aspnet_Users.
Password, nvarchar(256) NOT NULL,
Timestamp, timestamp, NOT NULL
I have a Gridview that I am trying to add Paging to, however when the 2nd page is selected I get my EmptyDataText.n reviewing multiple sites and forums they have stated to send your Datatable to a Session - What am I missing here?
[Code]....
I want to implemet mail merge with my on going project, I know well how send news letters to authorized clients, but need to do it with mail merge like the email from this forum.
View 1 RepliesI am trying to insert a string and random number into the database as hash sha1 then loggin in against it. the problem is if I use hash it wont login but if i dont use hash the login works fine... Code below.
insert hash into db
Dim user As New Label
user.Visible = False
user.Text = (myDataReader2.Item("username"))
MyConnection2.Close()
Dim MyConnection3 As New Data.SqlClient.SqlConnection("Data Source=xxx")
Dim mycommand3 As New Data.SqlClient.SqlCommand("Update Register SET [Password] = @password WHERE [username] = '" & user.Text & "' AND [email] = '" & email.Text & "'", MyConnection3)
Dim pass As String
Dim rnd As Integer, randomNum As New Random
rnd = randomNum.Next(1000, 10000)
pass = "Pass" & rnd
mycommand3.Parameters.AddWithValue("@password", FormsAuthentication.HashPasswordForStoringInConfigFile(pass, "SHA1"))
MyConnection3.Open()
mycommand3.ExecuteNonQuery()
login page
Sub Application_AuthenticateRequest(ByVal sender As Object, ByVal e As EventArgs)
' Fires upon attempting to authenticate the use
If Not (HttpContext.Current.User Is Nothing) Then
If HttpContext.Current.User.Identity.IsAuthenticated Then
If TypeOf HttpContext.Current.User.Identity Is FormsIdentity Then
Dim fi As FormsIdentity = CType(HttpContext.Current.User.Identity, FormsIdentity)
Dim fat As FormsAuthenticationTicket = fi.Ticket
Dim astrRoles As String() = fat.UserData.Split("|"c)
HttpContext.Current.User = New GenericPrincipal(fi, astrRoles)
End If
End If
End If
End Sub
Protected Sub Button1_Click(ByVal sender As Object, ByVal e As System.EventArgs)
Dim myConnection As New SqlClient.SqlConnection
Dim myCommand As New SqlClient.SqlCommand
Dim intUserCount As Integer
Dim strSQL As String
myConnection = New SqlClient.SqlConnection("Data Source=jrome2.db.4961680.hostedresource.com; Initial Catalog=jrome2; User ID=jrome2; Password=Richard050283;")
strSQL = "SELECT COUNT(*) FROM Register " _
& "WHERE UserName='" & Replace(txtusername.Text, "'", "''") & "' " _
& "AND Password='" & Replace(txtpassword.Text, "'", "''") & "';"
myCommand = New SqlClient.SqlCommand(strSQL, myConnection)
myConnection.Open()
intUserCount = myCommand.ExecuteScalar()
myConnection.Close()
'Response.Write(intUserCount)
If intUserCount > 0 Then
FormsAuthentication.Initialize()
Dim strRole As String = AssignRoles(txtusername.Text)
'The AddMinutes determines how long the user will be logged in after leaving
'the site if he doesn't log off.
Dim fat As FormsAuthenticationTicket = New FormsAuthenticationTicket(1, _
txtusername.Text, DateTime.Now, _
DateTime.Now.AddMinutes(30), False, strRole, _
FormsAuthentication.FormsCookiePath)
Response.Cookies.Add(New HttpCookie(FormsAuthentication.FormsCookieName, _
FormsAuthentication.Encrypt(fat)))
Response.Redirect(FormsAuthentication.GetRedirectUrl(txtusername.Text, False))
Else
login.Text = "Incorrect Log In Information"
End If
End Sub
Private Function ValidateUser(ByVal strUsername As String, ByVal strPassword As String) _
As Boolean
'Return true if the username and password is valid, false if it isn't
Return CBool(strUsername = " & Replace(txtusername.Text, " AndAlso strPassword = " & Replace(txtpassword.Text, ")
End Function
Private Function AssignRoles(ByVal strUsername As String) As String
Dim myConnection As New SqlClient.SqlConnection
Dim myCommand As New SqlClient.SqlCommand
Dim intUserCount As Integer
Dim strSQL As String
myConnection = New SqlClient.SqlConnection("Data Source=jrome2.db.4961680.hostedresource.com; Initial Catalog=jrome2; User ID=jrome2; Password=Richard050283;")
strSQL = "SELECT COUNT(*) FROM Register " _
& "WHERE UserName='" & Replace(txtusername.Text, "'", "''") & "' " _
& "AND Password='" & Replace(txtpassword.Text, "'", "''") & "';"
myCommand = New SqlClient.SqlCommand(strSQL, myConnection)
myConnection.Open()
intUserCount = myCommand.ExecuteScalar()
myConnection.Close()
'Response.Write(intUserCount)
If intUserCount > 0 Then
Return "client"
Else
Return String.Empty
End If
End Function
Protected Sub LinkButton1_Click(ByVal sender As Object, ByVal e As System.EventArgs)
txtusername.Text = String.Empty
txtpassword.Text = String.Empty
End Sub
I need to store passwords provided by the user. Yes, passwords. I could not use Hashes because I need to supply the password to another external service for authentication, and therefore I need to have the password.
What is the best and most secure way to store the passwords? As the external data provides private data it is of course very important that the password in my MS SQL DB is stored as safe as possible.
I'm looking to create my application as secure as possible. Now I have following line of code:
[Code]....
As you can see, my password is in plain-text in the code. Now, I presume it's easy to decompile a code using a tool and getting your hands on the password. Since these are my AD Admin-credentials this is not that good.The AuthenticationTypes are secure, I think. They encrypt the data before sending it to the network.So there's just the problem of the plain-text password. I've searched for it on Google but can't find the proper solution. I've found alot about encrypting passwords in the web.config.