Storing passwords in database

[VB Programmer]

I am using SQL Server as the database for my ASP.NET app.

I have a users table with a password field. What is the best way to encrypt
it before it goes into the table, then decrypt it to read the value? Any
sample code or links would be helpful.

Thanks!

 

[John M Deal]

You shouldn't encrypt or decrypt it at all. What you should do is create
a hash of the password value and then store it in the database. The next
time the user tries to logon you should hash the password they entered
and compare it to the stored hash, if they are the same then the user
entered the proper password. This helps prevent anyone with access to
your database (for legitimate or other wise) purposes from figuring out
people's passwords (as the hash can not be reversed). You may also
consider salting the password when hashing it.

Here's one site with some info:

http://www.ondotnet.com/pub/a/dotnet/excerpt/ado.netckbk_chap01/?page=2

others can be located using a search on google for:

dotnet password hash salt

Hope this helps.

Have A Better One!

John M Deal, MCP
Necessity Software

 

[Vaibhav]

Try using .Net Crypto API . it provides the best tested algorithams for
encryption.


Try using trusted_connection=true; in the web.config file instead of using
sql connection string with username and password

HTH

 

[Steve C. Orr [MVP, MCSD]]

I agree with John that hashing is preferable. Most programmers would
consider it to be the best practice.
Here's an example for you:
http://www.aspnetpro.com/NewsletterArticle/2003/04/asp200304so_l/asp200304so_l.asp

 

[Andy G]

I just finished programming the same thing that you want to do and I used,

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT03.asp

That's all you will need, follow it step-by-step, by far the most secure
password handling out there using the SHA-1 type.