A simple security question

With Asp.net 2.0, when a internet user logs in with a "login

authentication form", is the password encrypted when it is sent to the
server ?

Via HTTP? No.

Via HTTPS? Yes.

-Darrel

Darrel didn't answer your questoin fully. You asked hashed or encrypted. My
understanding is that hashed strings can't be unhashed (not meant to be
anyway unless the hash as been cracked). I'm sure HTTPS is encrypting, not
hashing. Passwords or any other data that's sent via HTTPS would have to be
decrypted on the other side. The only way to "un"hash a password is to use
the same salt to hash the one on the other end and see if they match. Not
really unhashing at all. Does that make sense? If I'm wrong, I'm sure
someone will jump in and say so. :-)
"Oriane" <or****@noemail.noemailwrote in message
news:#4**************@TK2MSFTNGP05.phx.gbl...

Hi,

With Asp.net 2.0, when a internet user logs in with a "login

authentication

form", is the password encrypted when it is sent to the server ? Is is
hashed ?

Best regards

Hi Oriane,

Regarding on your question, I think the answer is:

Without using any transport layer security approach(such as SSL/TLS), the
password(just like any other textbox field on page) are send via clear text
without any encrypting or hashing.

If you use basic authentication of HTTP protocol, by default it also only
perform a base64 encoding which is easy to decode. Therefore, if
security(confidentiality) is critical for your case, you should consider
apply SSL/TLS(https) on the login entry.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
ms****@microsoft.com.

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subs...#notifications.

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------

>From: "Oriane" <or****@noemail.noemail>
Subject: A simple security question
Date: Fri, 5 Sep 2008 17:27:55 +0200

>Hi,

With Asp.net 2.0, when a internet user logs in with a "login

authentication

>form", is the password encrypted when it is sent to the server ? Is is
hashed ?

Best regards

Hi Keith,

----- Original Message -----
From: "Keith G Hicks" <kr*@comcast.net>
Newsgroups: microsoft.public.dotnet.framework.aspnet
Sent: Saturday, September 06, 2008 3:49 PM
Subject: Re: A simple security question

Darrel didn't answer your questoin fully. You asked hashed or encrypted.
My
understanding is that hashed strings can't be unhashed (not meant to be
anyway unless the hash as been cracked). I'm sure HTTPS is encrypting, not
hashing. Passwords or any other data that's sent via HTTPS would have to
be
decrypted on the other side.

I don't agree ! In the sql database, only the hashed password is saved (by
default). So you don't necessarily need to send the clear password if you
hash it with the same algorithm on the client. But in fact you are right, as
Steven says, hashing is performed on the server.

The only way to "un"hash a password is to use
the same salt to hash the one on the other end and see if they match. Not
really unhashing at all. Does that make sense? If I'm wrong, I'm sure
someone will jump in and say so. :-)

Thanks for your answer

Thank you Steven