I'm about to setup a new client with username and passwords that will be managed in the database.
I am not using the Membership provider - and I do not want to.
At any rate - other times I've done this I've stored the PW in clear text in a user table. I've seen commercial system that can send you your "existing" password so they must do basically the same thing.
I'm thinking for this setup I want to encrypt the password - probably a one-way encryption. Of course that means I can never give someone their password if they forget - I'll simply have to reset it to something unique and let them change it when they login.
What encryption methods are easy and quick to use?
Is there one I can do in Javascript so that I can encrypt in the browser and never have to actually POST a clear text password either??
Is this how hashed password stored in SQL Server should look like? This is function I use to hash password (I found it in some tutorial)
public string EncryptPassword(string password) { //we use codepage 1252 because that is what sql server uses byte[] pwdBytes = Encoding.GetEncoding(1252).GetBytes(password); byte[] hashBytes = System.Security.Cryptography.MD5.Create().ComputeHash(pwdBytes); return Encoding.GetEncoding(1252).GetString(hashBytes); }
EDIT: I tried to use sha-1 and now strings seem to look like as they are suppose to:
public string EncryptPassword(string password) { return FormsAuthentication.HashPasswordForStoringInConfigFile(password, "sha1"); } // example output: 39A43BDB7827112409EFED3473F804E9E01DB4A8
Result from the image above looks like broken string, but this sha-1 looks normal....
I have a service (WCF) with which my ASP.NET page will communicate. The WCF service has hashed passwords in its data store (a file actually). The WCF service requires the username and the hashed password on every call. Nowm the problem I'm encountering is that if I authenticate the user with forms authentication in ASP.NET, a cookie will be saved in the user's computer after the user is authenticated but I would like to save the username and hashed password too so that the user may able to use the WCF service. Where should this information should be saved so that it is safe and secure? Should I use session variables? If I choose that option that, then should I switch from forms-based authentication and manually authenticate using session variables or use both forms-based autentication for web page access and store the username and hashed password in a session variable? What are the pros and cons of each?
I am writing a simple plugin for IE. I need to store a password and username setting for the user who uses the plugin. I know that I can store the username/password in the registry, I can manually encrypt it using the encription classes with .NET, or I can store it in a config file and encrypt the config file. I was wondering if there is a specific pattern/mechanism that I should use to store password and username.
for maintain security, i encrypted my password and store in database like following
Dim PWD As String = FormsAuthentication.HashPasswordForStoringInConfigFile(txtPassword.Text.Trim(), "SHA1").Trim()
but problem is suppose user forget his password and need to know then how can i decrypted the password and send to the user?is there any other suitable way to handle password?
Even with https enabled, you can write a password to the event log in code-behind. Any way to keep that password encrypted in code while you're checking it against a data store?
(using Login control)
(couldn't add comment to Andrew's answer, so I'm putting it here) NTLM uses the username/password of the machine the user is logged into right? For this, I was thinking using ActiveDirectory on the server as the data store. It would have a diferrent un/pw than what the user is currently signed in to their machine as.
Is it safe to send a POST to a web method with a JSON string containing a clear text version of a password for authentication?Who could sniff that password on the way from client to web method? I saw some posts a while ago on "salting" a password - is that something you do in JS on the client side and then "unsalt" on the server?
I have an aspx box with with to asp controls; one text box for entering a password and a button for submitting. Now, when the user enters a password he has to click the submit button.
I want to set it up so the after the user enters a password all he has to do is hit the enter key on the keyboad instead of having to click the submit button. I want it to work just like it does on this forum; all I have to do is enter my user name and password and hit the enter key on the keyboad. The only difference is that I only have a password field and not a user name field.
I tried setting the password to autopost back and it didn't work or at least I didn't have the code correct.
I need to store passwords provided by the user. Yes, passwords. I could not use Hashes because I need to supply the password to another external service for authentication, and therefore I need to have the password.
What is the best and most secure way to store the passwords? As the external data provides private data it is of course very important that the password in my MS SQL DB is stored as safe as possible.
I have store procedure: ALTER PROCEDURE dbo.GetAllInfoFromUsers(@name varchar(50)) AS select id, userName,password, role from tbl_users where userName=@name
When I create a new login for my SQL Server 2008 I also specify a password for this login. But when I, after the creation is done, check the login's properties the password is much longer than the one I specified. If I here change the password once again, SQL Server 2008 will automatically change the password for the login - again. ANd I don't know what the password that SQL Server keep putting for my logins, since the password consists of small black dots.
I have the asp.net with authentication set to forms. After deploying new version on server it started to display a UsernName Password dialog box (like in windows authentication) on the login.aspx page.
When user click "cancel" the login.aspx page displays normally and user could log in and continue his work normally.
I don`t know how to get rid of that dialog box? Anonymous login on IIS is enabled, and the anonymous IIS user has access to that file - login.aspx
I have a custom membership user class and custom MembershipProvider working against database. Due to security reasons the user passwords are stored in the database as hashed values. So my procedure
public override bool ValidateUser(string username, string password) is { //select hashed password from db return (EncodePassword(password) == dbpassword) } [code]....
I have an entity called a file which is the main part of my project. The file has invoices and timesheets captured against it. So I have a file tab with info about the file, like FileNumber, Vessedl, Voyage etc. Now I need to be able to upload documents for the file. So I will add an uploads tab. But the uploaded documents need to be saved for the specified file the user uploads it for. then when a user opens a file I need to show the documents for that file in a list of some sort. the best way to do this. What's the best way to upload multiple files? should I store all the info in my database?
