Hello everyone - 
 
I am creating a web form for setting up users and would like to be able to
store the passwords in my database in an encrypted format, not plain text.
Can this be done? How?
Thanks very much for your help!
 
 
 
Jeff Fountain
Web/SQL Administrator
Downs Rachlin Martin PLLC
199 Main Street, P.O. Box 190
Burlington, VT 05402-0190 

(802) 846 - 8304
(802) 777 - 3612
< http://www.drm.com <http://www.drm.com/> > 

 

Hi Jeff,

This subject is covered in Chapter 12 of "Building Secure ASP.NET
Applications" from Microsoft, which can be downloaded at:

<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/h
tml/secnetlpmsdn.asp>

Cheers,

Helen

> -----Original Message-----
> From: Jeff Fountain [mailto:jfountain@d...]
> Sent: Wednesday, November 27, 2002 9:15 AM
> To: ASP.NET
> Subject: [aspx] Password encryption
>
>
> Hello everyone -
>
> I am creating a web form for setting up users and would like
> to be able to
> store the passwords in my database in an encrypted format,
> not plain text.
> Can this be done? How?
> Thanks very much for your help!
>
>
>
> Jeff Fountain
> Web/SQL Administrator
> Downs Rachlin Martin PLLC
> 199 Main Street, P.O. Box 190
> Burlington, VT 05402-0190
>
> (802) 846 - 8304
> (802) 777 - 3612
> < http://www.drm.com <http://www.drm.com/> >
>
>
>
>

Hi Jeff.  While I've neve personally done this, I've been on a team that has 
implemnted the same type of scenario.

Perhaps take a look at the MD5 Class and the  System.Security.Cryptography 
Namespace - particularly Cryptographic Services, Cryptographic Tasks, and 
Encrypting and Decrypting Data.


HTH






----Original Message Follows----
From: Jeff Fountain <jfountain@d...>
Reply-To: "ASP.NET" <aspx@p...>
To: "ASP.NET" <aspx@p...>
Subject: [aspx] Password encryption
Date: Wed, 27 Nov 2002 12:15:10 -0500

Hello everyone -

I am creating a web form for setting up users and would like to be able to
store the passwords in my database in an encrypted format, not plain text.
Can this be done? How?
Thanks very much for your help!



Jeff Fountain
Web/SQL Administrator
Downs Rachlin Martin PLLC
199 Main Street, P.O. Box 190
Burlington, VT 05402-0190

(802) 846 - 8304
(802) 777 - 3612
< http://www.drm.com <http://www.drm.com/> >






_________________________________________________________________
Tired of spam? Get advanced junk mail protection with MSN 8. 
http://join.msn.com/?page=features/junkmail

There are a few ways, but the method universally used is a hashing 
algorithm. A hash algorithm is a one way function that translates some 
text/data into a fixed size value. It is used for signatures, but it can 
also be used for this. Hash the value and store the hash. When another 
password is given, hash that and compare it to the original hash. If 
equivalent, then the passwords are the same.

Use the SHA1 class, this provides a 160-bit hash value that is both 
difficult to crack and makes it unlikely that another password will 
produce the same hash.

Use as follows (in VB.NET)

Imports System.Security.Cryptography

Private Function EncryptPassword(value As String) As String
  Dim enc as New System.Encoding.ASCIIEncoding()
  Dim encrypted() As Byte = enc.GetBytes(value)
 
  Dim sh As New SHA1CryptoServiceProvider()
  Dim hash() As Byte = sh.ComputeHash(encrypted)

  Return enc.GetString(hash)
End Function

Then, to test the password, just do a simple string compare with the value 
returned from this method when a password is entered, and the value in the 
database.

> Hello everyone - 
 
I am creating a web form for setting up users and would like to be able to
store the passwords in my database in an encrypted format, not plain text.
Can this be done? How?
Thanks very much for your help!
Jeff Fountain
Web/SQL Administrator
Downs Rachlin Martin PLLC
199 Main Street, P.O. Box 190
Burlington, VT 05402-0190 

(802) 846 - 8304
(802) 777 - 3612
< http://www.drm.com <http://www.drm.com/> >