Re: Storing passwords in database

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: John M Deal (johndeal_at_necessitysoftware.com)
Date: 11/29/04 

Date: Mon, 29 Nov 2004 11:43:56 -0800

You shouldn't encrypt or decrypt it at all. What you should do is create
a hash of the password value and then store it in the database. The next
time the user tries to logon you should hash the password they entered
and compare it to the stored hash, if they are the same then the user
entered the proper password. This helps prevent anyone with access to
your database (for legitimate or other wise) purposes from figuring out
people's passwords (as the hash can not be reversed). You may also
consider salting the password when hashing it.

Here's one site with some info:

http://www.ondotnet.com/pub/a/dotnet/excerpt/ado.netckbk_chap01/?page=2

others can be located using a search on google for:

dotnet password hash salt

Hope this helps.

Have A Better One!

John M Deal, MCP
Necessity Software

VB Programmer wrote:
> I am using SQL Server as the database for my ASP.NET app.
>
> I have a users table with a password field. What is the best way to encrypt
> it before it goes into the table, then decrypt it to read the value? Any
> sample code or links would be helpful.
>
> Thanks!
>
>

Relevant Pages

  • Re: Simple Question: Always the same cyphertext?
    ... > encrypt a file twice with the same key and obtain the same ciphertext does ... > if you are going to decrypt the file later. ... >> whereby I would like to verify the integrity of a file using a hash. ... I will encrypt the file ...
    (sci.crypt)
  • Re: how to generate license keys for software
    ... Decrypt thelicensetext (using the privatekeythat only the ... Encrypt "xytlhkgeeddsddkf555" using the publickeybuilt into the ... Check to see if A is the hash of B, and if so, thelicenseis valid ...
    (sci.crypt)
  • Security - It Doesnt Seem Possible?
    ... At this point i dont ... user credentials say a database. ... So i encrypt them as they sit in the ... If i use a one way hash then the password must become disposable as i cant ...
    (microsoft.public.dotnet.framework)
  • Re: Newbie - Is this Reasonable?
    ... because this hash is stored in the database. ... So you use PKCS5v2 to generate a key hash from a salt and the user's passphrase, then store the salt and the hash in a database. ... are even more critical in database applications because the payoff from tampering with selected fields may be much higher, fields tend to be fixed-length so it's easier to tamper with them in a meaningful way, and databases lend themselves to off-line analysis, so the attacker can marshall more resources and take more time to attack your system. ... You're using a stream cipher for encryption. ...
    (sci.crypt)
  • Re: looking for help with a counting algorithm
    ... >> subcategory is counted, the code goes back up the tree to the root, adding ... >> involve retrieving all the category memberships from the database, ... sub ReadCategories{ ... ReadCategories is called with two empty hash pointers by any of the ...
    (comp.lang.perl.misc)