473,320 Members | 1,930 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

Storing passwords in database

I am using SQL Server as the database for my ASP.NET app.

I have a users table with a password field. What is the best way to encrypt
it before it goes into the table, then decrypt it to read the value? Any
sample code or links would be helpful.

Thanks!
Nov 18 '05 #1
4 1859
You shouldn't encrypt or decrypt it at all. What you should do is create
a hash of the password value and then store it in the database. The next
time the user tries to logon you should hash the password they entered
and compare it to the stored hash, if they are the same then the user
entered the proper password. This helps prevent anyone with access to
your database (for legitimate or other wise) purposes from figuring out
people's passwords (as the hash can not be reversed). You may also
consider salting the password when hashing it.

Here's one site with some info:

http://www.ondotnet.com/pub/a/dotnet...chap01/?page=2

others can be located using a search on google for:

dotnet password hash salt

Hope this helps.

Have A Better One!

John M Deal, MCP
Necessity Software
VB Programmer wrote:
I am using SQL Server as the database for my ASP.NET app.

I have a users table with a password field. What is the best way to encrypt
it before it goes into the table, then decrypt it to read the value? Any
sample code or links would be helpful.

Thanks!

Nov 18 '05 #2
Try using .Net Crypto API . it provides the best tested algorithams for
encryption.
Try using trusted_connection=true; in the web.config file instead of using
sql connection string with username and password

HTH
"VB Programmer" <Do*****************@jEmail.com> wrote in message
news:uu**************@TK2MSFTNGP12.phx.gbl...
I am using SQL Server as the database for my ASP.NET app.

I have a users table with a password field. What is the best way to
encrypt it before it goes into the table, then decrypt it to read the
value? Any sample code or links would be helpful.

Thanks!

Nov 18 '05 #3
I agree with John that hashing is preferable. Most programmers would
consider it to be the best practice.
Here's an example for you:
http://www.aspnetpro.com/NewsletterA...200304so_l.asp

--
I hope this helps,
Steve C. Orr, MCSD, MVP
http://Steve.Orr.net
"VB Programmer" <Do*****************@jEmail.com> wrote in message
news:uu**************@TK2MSFTNGP12.phx.gbl...
I am using SQL Server as the database for my ASP.NET app.

I have a users table with a password field. What is the best way to
encrypt it before it goes into the table, then decrypt it to read the
value? Any sample code or links would be helpful.

Thanks!

Nov 18 '05 #4
I just finished programming the same thing that you want to do and I used,

http://msdn.microsoft.com/library/de...SecNetHT03.asp

That's all you will need, follow it step-by-step, by far the most secure
password handling out there using the SHA-1 type.
"VB Programmer" <Do*****************@jEmail.com> wrote in message
news:uu**************@TK2MSFTNGP12.phx.gbl...
I am using SQL Server as the database for my ASP.NET app.

I have a users table with a password field. What is the best way to encrypt it before it goes into the table, then decrypt it to read the value? Any
sample code or links would be helpful.

Thanks!

Nov 18 '05 #5

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
by: Fred Emmott | last post by:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi - just wondering how I should store passwords in a database - I was thinking MD5 hashes would be a good idea - but I've heard it's better to...
14
by: Miranda | last post by:
Hi, I have a ASP/vbscript program that generates random passwords. The problem is I need to insert those passwords into an Access database of 327 clients. I have the random password program...
6
by: Bartosz Wegrzyn | last post by:
hi, I would like to store windows passwords and usernames in database. Please tell me where to start? What database can I use? Can I use free microsoft database? Thanks Bart
1
by: Oleg Lebedev | last post by:
My application needs to store user names and passwords in the database via JDBC connection. What is the right way to do this? What should be the database type of the password column? How do I...
1
by: Shapper | last post by:
Hello, I created a login system and I my passwords are being hashed. I need to check if everything is working so I need to generate some hashed passwords to replace the actual passwords I have...
0
by: scoomey | last post by:
Hi folks- I've got an interesting problem. For our homebrewed PHP intranet application, I will soon be required to give users access to their email/calendar information from Microsoft Exchange....
5
by: djc | last post by:
is it still customary to use web.config and global.asax to store connection strings? For example storing the string in web.config and using application start procedure in global.asax to declare a...
2
by: Simon.Whiteside | last post by:
If someone has created a database for me and transferred it over is there any way that I can check I have full access to all areas? I am a beginner with Access and so the development has been...
3
by: Eric Wertman | last post by:
I've a number of scripts set up that require a username/password combination to log in elsewhere. It's gotten to the point where I need to keep them in a more secure location, instead of just in...
0
by: DolphinDB | last post by:
The formulas of 101 quantitative trading alphas used by WorldQuant were presented in the paper 101 Formulaic Alphas. However, some formulas are complex, leading to challenges in calculation. Take...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
0
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.