password encryption

[zooCurator]

I'm new to .net, so hopefully I am in the right place.

I have written a web application which accepts the userid & password. The
password is masked with "*" and is used for accessing DB2 & SQL Server
databases.

When in debug mode the password displays as it was entered. Is there a way
to have the password encrypted, even during debug? It makes me wonder how
secure the password really is.

Thanks

 

[Stanimir Stoyanov]

When in debug mode the password displays as it was entered. Is there a

way
to have the password encrypted, even during debug? It makes me wonder how
secure the password really is.

When exactly is it displayed while in debug mode -- on the HTML/ASPX page?
If so, this is a very strange behavior.

The password will be transferred in clear text (readable form) from the
client to your server if you do not use SSL on your side. You client has to
be connected to port 443 (https). This will ensure that the communications
between the two machines is always encrypted.

 

[zooCurator]

I do not see it in the HTML. Only when placing my cursor over the password
text while debugging. I was debugging a connectivity problem with a
colleague and when he placed the cursor over the input string he was able to
read my password. I started thinking that this might be a bug in the code
where it did not come across encrypted and further wondered if this could be
open for capturing by a hacker somehow.

 

[Stanimir Stoyanov]

This is normal. You have to be able to read the password in clear text on
your end so that you can use it, for example, for authentication.

However, check if you can set up SSL on your web application server. This
will ensure that all data is encrypted and a middle man will not be able to
read the actual information.

If you use regular HTTP, it is very likely that a packet sniffer on the
client side (or any network device above the client machine) will be able to
reveal the communication to your server, including the password in a
readable form.