md5 steps

I would like to know how to implement this algorithm in ASP.
I want to use it in a login page.
I have some doubts...
Should I apply the md5 function in javascript before sending the password and then compare the hash? I also saw in some pages that some people use a random number...
Which would be the best "steps" to follow? I would like if someone can detail me the steps, including when an user registers for first time and also when an user logins.
Thank you so much :)
DeLaVegazAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

eyeh8uCommented:
Generaly, on registration I generate a random secure password for the user, and store this as an MD5 hash in the database for security. This is emailed to the registered email address to authenticate they are who they say they are etc.

I use this library: http://www.freevbcode.com/ShowCode.Asp?ID=2366

To generate the hash.

When a user logs-in I have them login with their actual password and submit this to the server in plain text (i.e. no Javascript MD5), this is then hashed with the above library to compare to their login to check authentication. Where security is a concern, the login is done over SSL.

Random number/text string images etc confirmation is frequently used on signup screens to prevent automated registration by user list spam robots (who signup hundreds of AAAAAHOTSEX style accounts in user directories at popular sites like yahoo groups and so on). I've never worked on a site where this has been an issue.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
thefritterfatboyCommented:
Remember - the idea of MD5 is to *hide* the password... not to stop people logging in as other users.

If you are dealing with money or sensitive data - use a https (SSL) connection. If you make javascript do the work and then submit... this MD5 string can still be seen to 'hackers' and used to log in as that user.

The idea of MD5 is useful for cookies. You can save user ID and md5 password in the cookie to authenticate users. However, other users on this machine cannot open the cookies folder, your site's cookie and simply read this user's password - they would just be presented with an md5 string.

A good way of encrypting is to send a checksum from the server. When the page is loaded - create an ASP session and add a random 10 digit string to your session. The javascript would add this string to the user's password BEFORE md5 hashing it and sending it back to the server.

You would then take this string, append it to the end of the user's password in your database, MD5 hash it and test the two string. This means the MD5 hash sent is unique each time yet still contains the data you need.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASP

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.