Keep That Password Encrypted In Code While Checking It Against A Data Store?
Jan 18, 2011
Even with https enabled, you can write a password to the event log in code-behind. Any way to keep that password encrypted in code while you're checking it against a data store?
(using Login control)
(couldn't add comment to Andrew's answer, so I'm putting it here)
NTLM uses the username/password of the machine the user is logged into right? For this, I was thinking using ActiveDirectory on the server as the data store. It would have a diferrent un/pw than what the user is currently signed in to their machine as.
for maintain security, i encrypted my password and store in database like following
Dim PWD As String = FormsAuthentication.HashPasswordForStoringInConfigFile(txtPassword.Text.Trim(), "SHA1").Trim()
but problem is suppose user forget his password and need to know then how can i decrypted the password and send to the user?is there any other suitable way to handle password?
My company has some unique password policies (such as a pwd cannot be re-used for 6 months, aside from the must include #, special character, upper & lower case)Can anyone suggest how to go about ensuring that a new user's password complies with these policies (using forms authentication in .net 3.5 framework)?
I am using a standard implementation of the membership provider. I however, need to compare a supplied password (from a textbox) with a saved encrypted password. This is for a new security policy at work.
I need to send password encrypted email in C# -how hard is this to do ?, and how to do it ...??Do you nee SSL certificate or not ?I know how to send normal emails becuase i did it already but not encrypted emailsIf you have personal experience , then tell me the how.
For testing I used this:[URL]Encrypts only the password is not encrypted and username.Why not?For security reasons, I would like also to encrypts username.
I am working on document storage and retrieval application. In which i display the pdf document as an png image , but i have a email button on the top. On clicking that the user would be able to provide an email address to which the document needs to be sent, and I need to send this pdf as an attachment. I need to password protect the file for security reasons. I have no clue on how i can do this in asp.net mvc.
I'm creating a website and currently making tests for registration. I've manage to create a registration form in the web site and save what the user inputs in the textboxes into a sql server 2008 database.
One of the fields is Password. What I want know is how do you save the password into the database but the database stores it encrypted. That way I'm just able to see the password encrypted. Then when I make a log-in form how to validate the password input by the user with the encrypted one and give a succesful login.
I encrypted my connectionstring and store at web.config file. Then I bind Gridview with sqldatasource control, cannot bind because of sqldatasource don't know the(encrypted) connectionstring.
For our website, we have decided we would like to maintain our user passwords as encrypted binary data in our database. We are using ASP.NET 3.5 to host our site and SQL Server Express 2008 for the database, both running on the same server. When a user logs in and submits a username and password, there will need to be some sort of encryption or decryption in order to verify the credentials. To me, it would appear that there are 3 ways to do this:
1)[C# Encyrption] On User creation, perform encryption in the Web App and submit the encrypted password to the database. To verify credentials at Login, perform the same encryption on the submitted password and ensure that it matches the value stored in the database.
2)[SQL Encryption] On User creation, submit the plain-text password to the database and have it perform one of the SQL encryption variants during INSERT. To verify credentials at Login, have the database perform decryption on the password during the SELECT statement, and compare the plain-text submitted password to the one in the database.
3)[Mix] On User creation, submit the plain-text password to the database, and have it perform one of the SQL encryption variants during INSERT. To verify credentials at Login, perform the same encryption algorithm used by SQL on the submitted password ( is this possible? ), and ensure that it matches the value stored in the database.
Does anybody have an opinion as to which of these options is best? Number 1) is the most familiar to me, and would be the easiest to use with LINQ to SQL ( which is our current data model ), so I am leaning towards that. But if there are better options I would love to know about them.
Web service error response (code/message etc) would you store it in a database? or would you keep the error response in a method.By the time I'm done with this, there will be hundreds of error response, maybe in the future, thousands? (I dont know yet, depends how large this web service grows).EDIT: error response is the response returned back to the application via the web service, (not to be confused with error logging).
I have a system where I salt and hash passwords before saving them to the database, using FormsAuthentication in asp.net
What I want to do is, rather than ask the customer for their password each time, I just want 3 random letters from their password. How can I compare this to the hash in the database? Will hashing still work in this case? From what I gather hashing is only designed to be a one way process and shouldn't be decrypted, so is checking 3 random letters for a hash even possible?
I Use Asp.Net Change Password Control.I want to make shure that new Passord won't be the sae as Old Password.Is ChangingPassword Event Using for this process?How Could I Compare NEw Password Which is ClearType with Hashed Password which Saved In DB.Note:I Use ASP.Net Builtin Membership.
I have read the post at http://forums.asp.net/t/1403132.aspx regarding login control. Is there a place to store the User logged-in ID (info) for later checking and use? I don't need to use the session object. I don't need the page to expire. I don't need the user to use a page saved in the favoites.
I was able to encrypt the password and save it in the database but I need to encrypt the password now when the users try to login. For example, user comes and types his/her username and password but the password is already encrypted in the database, how can I decrypt and authenticate the user?
protected void ValidateUser(object sender, EventArgs e) { int userId = 0; string constr = ConfigurationManager.ConnectionStrings["constr"].ConnectionString; using (SqlConnection con = new SqlConnection(constr)) { using (SqlCommand cmd = new SqlCommand("Validate_User"))
I have a formview that I open to the edit template, some textboxes are not available and some are populated by dropdown lists, and the update function works fine.
As soon as I add some logic to the code behind page for the update control, the UPDATE link on the formview stops updating my DB.
So if i encrypt connectionstrings and sections, how will i get their values inside my code?I don't want to decrypt the web.config, i just want to read the encrypted values.There must be a class.Maybe something from ConfigurationManager?I don't suppose it's automatically decrypted?
Is this how hashed password stored in SQL Server should look like? This is function I use to hash password (I found it in some tutorial)
public string EncryptPassword(string password) { //we use codepage 1252 because that is what sql server uses byte[] pwdBytes = Encoding.GetEncoding(1252).GetBytes(password); byte[] hashBytes = System.Security.Cryptography.MD5.Create().ComputeHash(pwdBytes); return Encoding.GetEncoding(1252).GetString(hashBytes); }
EDIT: I tried to use sha-1 and now strings seem to look like as they are suppose to:
public string EncryptPassword(string password) { return FormsAuthentication.HashPasswordForStoringInConfigFile(password, "sha1"); } // example output: 39A43BDB7827112409EFED3473F804E9E01DB4A8
Result from the image above looks like broken string, but this sha-1 looks normal....
I have a service (WCF) with which my ASP.NET page will communicate. The WCF service has hashed passwords in its data store (a file actually). The WCF service requires the username and the hashed password on every call. Nowm the problem I'm encountering is that if I authenticate the user with forms authentication in ASP.NET, a cookie will be saved in the user's computer after the user is authenticated but I would like to save the username and hashed password too so that the user may able to use the WCF service. Where should this information should be saved so that it is safe and secure? Should I use session variables? If I choose that option that, then should I switch from forms-based authentication and manually authenticate using session variables or use both forms-based autentication for web page access and store the username and hashed password in a session variable? What are the pros and cons of each?
I'm about to setup a new client with username and passwords that will be managed in the database.
I am not using the Membership provider - and I do not want to.
At any rate - other times I've done this I've stored the PW in clear text in a user table. I've seen commercial system that can send you your "existing" password so they must do basically the same thing.
I'm thinking for this setup I want to encrypt the password - probably a one-way encryption. Of course that means I can never give someone their password if they forget - I'll simply have to reset it to something unique and let them change it when they login.
What encryption methods are easy and quick to use?
Is there one I can do in Javascript so that I can encrypt in the browser and never have to actually POST a clear text password either??
I am writing a simple plugin for IE. I need to store a password and username setting for the user who uses the plugin. I know that I can store the username/password in the registry, I can manually encrypt it using the encription classes with .NET, or I can store it in a config file and encrypt the config file. I was wondering if there is a specific pattern/mechanism that I should use to store password and username.