I want to know how can I protect my password in login & register pages because I am not using .net's Login or CreateUserWizard controls.I want an encryption method for this process e.g. when storing password in the database form the register page and when comparing the password with stored password in database to varify a user in login page.
View 3 RepliesJust a quick question i've been asked to look at enhancing security but encrypting passwords we store in a db table, essentially the data thats linked to the user account isnt sensitive however its more to stop someone reading passwords out of the table directly etc
I've read multiple ways of implimenting hashing etc i've started using FormsAuthentication.HashPasswordForStoringInConfigFile
//create new salt and update the password
Hashtable newInfo = new Hashtable();
newInfo["salt"] = GenerateFriendlyPassword(5);
string tmppass = FormsAuthentication.HashPasswordForStoringInConfigFile(txtNewPass1.Text.ToString() + newInfo["salt"].ToString(), "SHA1");
newInfo["passwordHash"] = tmppass;
Generate friendly password returns a 5 char string based on a random position in a valid char array containing a - z and 0 - 9At present the functionality is at page level in the code behind, re this is the forms authentication HashPasswordForStoringInConfigFile function thread safe? Or do i need to look at implimenting this in a different wayCheers appreciate your response as im always jubious about multi threading etc,
Can anyone help with best practice for storage of database passwords/connectionstrings for ASP.NET applications? Most tutorials suggest storing the connection string (along with the password) in Web.config. I don't like this solution because the connectionstring is visible to anyone working on the application (although I appreciate it is secured from the consumer). You can use aspnet_regiis to encrypt sections of Web.config, but then surely anyone with access to the web server could easily decrypt it anyway. For an enterprise level application what should I be doing?I could store it in Web.config and encrypt with my own key, but then would that offer any advantage over aspnet_regiis, because the key would have to reside on the web server anyway?
View 1 RepliesI am using a custom membership provider with a custom ValidateUser method. The ValidateUser sends and additional parameter to authenticate my users (Username, Password, and Dealer). I created a custom stored procedure for ValidateUser to call. I copied over all my users from another table and encrypted all the passwords in the aspnet_membership table using the code below. My question is, how do I take the password the user enters in the login form and validate that against what is in my aspnet_membership Here is the code I used to encrypt the passwords (not even sure this was the right way to encrypt. Please tell me if I did this wrong):
public static string EncodePasswordNow(string originalPassword)
{
Byte[] originalBytes;
[code]...
Before I continue I'm going to let everybody know that I am not trying to follow a traditional .Net Membership Provider. I'm attemping to write my own Membership Provider which does not extend the default .Net Membership Provider b/c I feel that in areas it can become extremely cumbersome. Please keep this in mind before responding. Also keep in mind that I am trying to learn from this experience, not find an easy solution for some client's application.I am writing a custom membership provider that has password formatting functionality similar to .Net's default membership provider. I'm looking for soe good/easy examples of ways to encrypt/decrypt or hash password values. I previously tried going the RSA route, but got stuck when I had to Import an RSAParameter and was unsure of how to generate a RSAParameter.
I would like to have both Hashing and Encryption available, but only need Encryption. I'm also looking for a very strong encryption. I'm storing the password format in an external .xml file (similar to how the web.config stores the password format for .Net's Membership Provider) which will become manageable from the administrative side of my webapplication.If anybody knows of any existing Encryption libraries that may provide assistance, please feel free to post links. I only ask that they be open source solutions so I can see how they went about doing this.
For our website, we have decided we would like to maintain our user passwords as encrypted binary data in our database. We are using ASP.NET 3.5 to host our site and SQL Server Express 2008 for the database, both running on the same server. When a user logs in and submits a username and password, there will need to be some sort of encryption or decryption in order to verify the credentials. To me, it would appear that there are 3 ways to do this:
1)[C# Encyrption] On User creation, perform encryption in the Web App and submit the encrypted password to the database. To verify credentials at Login, perform the same encryption on the submitted password and ensure that it matches the value stored in the database.
2)[SQL Encryption] On User creation, submit the plain-text password to the database and have it perform one of the SQL encryption variants during INSERT. To verify credentials at Login, have the database perform decryption on the password during the SELECT statement, and compare the plain-text submitted password to the one in the database.
3)[Mix] On User creation, submit the plain-text password to the database, and have it perform one of the SQL encryption variants during INSERT. To verify credentials at Login, perform the same encryption algorithm used by SQL on the submitted password ( is this possible? ), and ensure that it matches the value stored in the database.
Does anybody have an opinion as to which of these options is best? Number 1) is the most familiar to me, and would be the easiest to use with LINQ to SQL ( which is our current data model ), so I am leaning towards that. But if there are better options I would love to know about them.
Not sure if I'm posting the question in the right category.
1) I'm working in a project where encryption of data is high priority. Could some one suggest what would be the best encryption method to protect data from being cracked.
I'm using TCP/IP protocol.
2) Is HTTPS totally secured. If I'm using HTTPS, does that mean that there is no encryption of data required in the coding?
I have a problem with changing the password from Microsoft Access Database. I get an Error "No data exists for the row/column". The password in the database is encrypted and when I change the password it should be decrypting the password and new password should be updated with encryption again. I have following Encryption and Decryption Function:
Code:
Imports System.Collections.Generic
Imports System.Linq
Imports System.Web
Imports System.Text
[code]....
I am using a standard implementation of the membership provider. I however, need to compare a supplied password (from a textbox) with a saved encrypted password. This is for a new security policy at work.
[Code]....
i want to encrypt the password by using the encryption algorithm dll uploaded by the user. is it possible to do the action. how can i call the method used by the user to create the dll.
View 1 RepliesI have to make changes to classic asp website where once a button is clicked it autologins to a third party website with a intermediate page that warns that you are logging in to a third party website.
The thirdparty is providing us with a username and password and gave us an examle javascript to encode the password to send to them. Now where do I store the userid and password. I cannot execute the javascript on the serverside. It has to go to the client. If the asp page which has the encryption javascript goes to the client side then the source can be viewed and the username and password is given out.
Is there a way that I can have hidden asp page whose only job is to encrypt the password and create a new url and auto redirect it to that new url.
So when the user clicks ok on the intermediate warning page I redirect it to this hidden asp page which does the encryption and a creates a url for get method and redirects to that page.
I am a novice as far as java script and classic asp is concerned.
I am using this method to encrypt password.. When user enters special characters it gives an error.. Method below :
private string base64Decode(string sData) {
string result=null;
try
{
System.Text.UTF8Encoding encoder = new System.Text.UTF8Encoding();
System.Text.Decoder utf8Decode = encoder.GetDecoder();
[Code] ....
I can recover my password but when I try to change my password to something a bit easier to remember it gives me:
Password incorrect or New Password invalid. New Password length minimum: 7. Non-alphanumeric characters required: 1.
I am using a Query Encryption Technique shown in Thread[URL]I am facing a problem with the above module status bar always displays real URL,& when ever i right click on page then properties than Address URL shows Real URL
View 4 RepliesI would like to use the System.Security.Cryptography to encrypt / decrypt my passwords strings for my custom membership provider login.I've read some basic article's but they don't explain much about the process in detail. I've decided to use AES because it is said to replace DES encryption. How can I encrypt and decrypt my password strings in the strongest way possible with AES? I would really like a very detailed explanation about the method to use for this task.
View 1 RepliesIf a website is already using SSL, this guarantees a secure channel between the client and the website right. If I do another encrypt on the information being transmitted via HTTP POST would this be an overkill?
View 2 RepliesI was able to encrypt the password and save it in the database but I need to encrypt the password now when the users try to login. For example, user comes and types his/her username and password but the password is already encrypted in the database, how can I decrypt and authenticate the user?
protected void ValidateUser(object sender, EventArgs e)
{
int userId = 0;
string constr = ConfigurationManager.ConnectionStrings["constr"].ConnectionString;
using (SqlConnection con = new SqlConnection(constr))
{
using (SqlCommand cmd = new SqlCommand("Validate_User"))
[code].....
here is the decrypt function
private string Decrypt(string cipherText)
{
string EncryptionKey = "MAKV2SPBNI99212";
byte[] cipherBytes = Convert.FromBase64String(cipherText);
using (Aes encryptor = Aes.Create())
[Code]......
I inherited a ASP.Net website. Some changes need to be implemented. The login for the application is encrypted using the md5cryptoserviceprovider class. After upgrading to 2.0, the password is no longer encrypted the same as when it was 1.1.
I left the 1.1 virtual directory and it's still working. On the same box, I loaded the 2.0 code and setup a new virtual directory (which isn't encrypting the same as 1.1).
I copied the section below from the 1.1 machine.config section into the web.config and the 2.0 machine.config.
<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="SHA1"/>
Here is the code that is generating the hash.
MD5CryptoServiceProvider encryptionServiceProvider = new MD5CryptoServiceProvider();
var bytes = ASCIIEncoding.ASCII.GetBytes(inputString);
what is two way encryption and how does that work ?
View 2 RepliesI have a hex string (encrypted)I need to use Rijndael classes with these settings:
Encryption: AES
I have a problem trying to encrypt a string in PHP and also in C# using DES (cbc) encryption. The problem I'm facing is that I'm getting different results using the different languages.In C#:
[Code]....
You can see that they are close...
PHP: HLp51qoFW0rimOTafCVTVQ==
C# : HLp51qoFW0ojU8eGEGkk4w==
But something is going wrong somewhere, I suspect it's a difference between (PHP) pack("H*", '0F26EF560F26EF56') and (C#) StringToBytes.ConvertHex("0F26EF560F26EF56") but I'm really struggling to spot it.
my code:
[Code]....
I have a stored encryption: "dkljas84u238jidasjidoia"When I get in this instance decryption "11111111111111111"show how the combobox "****************** 1111 "Something like: SELECT RIGHT ('11111111111111111 ', 4)
I'm just starting to really get into JSON as a tool for my sites. I was showing my friend how I am calling a WS and returning the data, and he asked me about security of passing JSON data to and from a web service as he saw the data from the "POST" (via Firebug). Many of our public facing sites deal with member information and contain PHI. Can I encrypt the JSON data and then unencrypt it? Is that a good way to go about it to ensure a layer of protection? Or is there another "better/right" way of doing it? Or are his concerns unfounded? Is there an article about how to encrypt or secure the JSON data when needed? Just trying to gather as much knowledge as possible before I go down a path that won't work for the company.
View 4 RepliesMy website has to connect to a hosted SQL Server database. The connectiostring, incluing username and password, is stored in the web config file.I have two questions.The first is that everything I read says this must be encrypted so that it cannot be read and used by others. Well, how would that happen. My understanding of ASP.net is that all the work is carried out on the hosted server and the rendered page is then delivered to the user. How would a user be able to view my connectionstring.Secondly, I have used some msdn vb.net code to encrypt the connection string in the web config file. Following on from the first question, how can I confirm that the encryption is intact on the published web.config file.
View 7 RepliesI am creating an application that will save financial data.I am in the process of creating an architecture for this application.I am stuck deciding wether to do encryption on the application side or SQL Server side. I am planning to use AESManaged algorithm for this.My requirement is such that the ecnryption key is unique for each user (based on user's password).I am of the opinion that it should be on the application server side as it becomes easily scalable. Another attractive thing that I find is that if my frontend is Silverlight then I can pass on the actual encryption load onto the client system.
View 7 Replies