Solved

Secure way of passing / inserting password in Database - ASP

Posted on 2006-07-07
10
257 Views
Last Modified: 2006-11-18
Dear Experts-

Let me explain the scenario first

I have login form with Userid and Password. Once the user enters userid and password, as a programmer I can know what is the value of the password user entered.

I would like to know if there is a way that the password can not be read even by the programmer and get the password in an encrypted way and send it to the database and save it


Regards

0
Comment
Question by:akp007
  • 3
  • 3
  • 2
  • +1
10 Comments
 
LVL 7

Assisted Solution

by:wesbird
wesbird earned 70 total points
ID: 17060158
Hash the passwords - here's an example: http://www.15seconds.com/issue/000217.htm

Use an algorithm like SHA256 or MD5 to generate a hash of the password and store that in the database instead.

0
 
LVL 7

Assisted Solution

by:wesbird
wesbird earned 70 total points
ID: 17060172
0
 
LVL 7

Expert Comment

by:wesbird
ID: 17060490
Another useful resource: http://www.frez.co.uk/freecode.htm#md5
0
 
LVL 14

Assisted Solution

by:dfu23
dfu23 earned 60 total points
ID: 17060566
1. use HTTPS as the protocol for secure/encrypted transmission of the data
2. hash the password using client-side javascript to hash the password before it is submitted and store the hash in the DB
0
 
LVL 14

Assisted Solution

by:CyrexCore2k
CyrexCore2k earned 370 total points
ID: 17060906
akp

The above suggestions are good but if you want the best possible solution I would recommend using a combination of RC4 and MD5 encryption schemes.

Here's how your webpage should authenticate.

User requests login page
Server generates two random character strings and stores them in a database table. One string we'll refer to as the key and the other we'll refer to as the mask.
The login page is generated by the server with a hidden field containing the key value. The mask value is also placed into a javascript variable but is _not_ to be submitted by the form.
The user enters in their username and password and clicks submit.
A piece of javascript code runs an RC4 algorithm on the password using the mask.
The encrypted password and the key are sent to the server.
The server finds the mask using the key value.
The server then decrypts the password using the mask found in the database.
The server deletes the record of the key and the mask.
The server then generates a password hash using MD5 and compares it against the database value
From there the user is either granted or denied access.

This is the best possible free solution without using SSL. While SSL would be the absolute best solution instead of the RC4 steps I showed you it costs quite a bit of money to get a certificate from a trusted CA. (Although if you want to just make your own CA that's an option as well.)

This solution takes care of the two weakest points in security. Your password is not sent in plain text and your password is not stored in plain text. While this doesn't mean this solution is fool proof it's about as secure as you can get without using SSL.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:akp007
ID: 17061730
Thank you for all quick responses. I still have a small doubt. This may be dumb. But I want to get the clarification

All the suggestion and advice that you have provided to me are, Once the user submits the form, then we capture the password and encrypt that. But as a programmer, before I do the encryption, I can still see the password that user entered , if I want to right? using response.write or some other way using ASP.

Is that right? Please


thanks
0
 
LVL 14

Accepted Solution

by:
CyrexCore2k earned 370 total points
ID: 17062092
akp yes that is correct. No matter what you do that will always be the case.

If you need a way to keep programmers from seeing users passwords yet still be able to create applications you could create a site to mimic the behavior of microsoft passport services. Programmers for the passport site would still be able to see passwords but programmers for any other application your company may develop would not.

Hope this helps
0
 
LVL 14

Expert Comment

by:dfu23
ID: 17062886
not true

if you effect the password (hash it or whatever) on the client side then the posted value will not be what the user entered ...
0
 
LVL 14

Assisted Solution

by:CyrexCore2k
CyrexCore2k earned 370 total points
ID: 17065528
dfu but essentially then that becomes the password because a programmer is most likely clever enough to know how to masquerade a page so that they can send the hashed password instead of the password and gaining access to that person's account.
0
 

Author Comment

by:akp007
ID: 17065744
All the comments were excellent . I appreciate your quick response

Best Regards
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

I recently decide that I needed a way to make my pages scream on the net.   While searching around how I can accomplish this I stumbled across a great article that stated "minimize the server requests." I got to thinking, hey, I use more than one…
I was asked about the differences between classic ASP and ASP.NET, so let me put them down here, for reference: Let's make the introductions... Classic ASP was launched by Microsoft in 1998 and dynamically generate web pages upon user interact…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now