Solved

Secure way of passing / inserting password in Database - ASP

Posted on 2006-07-07
10
262 Views
Last Modified: 2006-11-18
Dear Experts-

Let me explain the scenario first

I have login form with Userid and Password. Once the user enters userid and password, as a programmer I can know what is the value of the password user entered.

I would like to know if there is a way that the password can not be read even by the programmer and get the password in an encrypted way and send it to the database and save it


Regards

0
Comment
Question by:akp007
  • 3
  • 3
  • 2
  • +1
10 Comments
 
LVL 7

Assisted Solution

by:wesbird
wesbird earned 70 total points
ID: 17060158
Hash the passwords - here's an example: http://www.15seconds.com/issue/000217.htm

Use an algorithm like SHA256 or MD5 to generate a hash of the password and store that in the database instead.

0
 
LVL 7

Assisted Solution

by:wesbird
wesbird earned 70 total points
ID: 17060172
0
 
LVL 7

Expert Comment

by:wesbird
ID: 17060490
Another useful resource: http://www.frez.co.uk/freecode.htm#md5
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 14

Assisted Solution

by:dfu23
dfu23 earned 60 total points
ID: 17060566
1. use HTTPS as the protocol for secure/encrypted transmission of the data
2. hash the password using client-side javascript to hash the password before it is submitted and store the hash in the DB
0
 
LVL 14

Assisted Solution

by:CyrexCore2k
CyrexCore2k earned 370 total points
ID: 17060906
akp

The above suggestions are good but if you want the best possible solution I would recommend using a combination of RC4 and MD5 encryption schemes.

Here's how your webpage should authenticate.

User requests login page
Server generates two random character strings and stores them in a database table. One string we'll refer to as the key and the other we'll refer to as the mask.
The login page is generated by the server with a hidden field containing the key value. The mask value is also placed into a javascript variable but is _not_ to be submitted by the form.
The user enters in their username and password and clicks submit.
A piece of javascript code runs an RC4 algorithm on the password using the mask.
The encrypted password and the key are sent to the server.
The server finds the mask using the key value.
The server then decrypts the password using the mask found in the database.
The server deletes the record of the key and the mask.
The server then generates a password hash using MD5 and compares it against the database value
From there the user is either granted or denied access.

This is the best possible free solution without using SSL. While SSL would be the absolute best solution instead of the RC4 steps I showed you it costs quite a bit of money to get a certificate from a trusted CA. (Although if you want to just make your own CA that's an option as well.)

This solution takes care of the two weakest points in security. Your password is not sent in plain text and your password is not stored in plain text. While this doesn't mean this solution is fool proof it's about as secure as you can get without using SSL.
0
 

Author Comment

by:akp007
ID: 17061730
Thank you for all quick responses. I still have a small doubt. This may be dumb. But I want to get the clarification

All the suggestion and advice that you have provided to me are, Once the user submits the form, then we capture the password and encrypt that. But as a programmer, before I do the encryption, I can still see the password that user entered , if I want to right? using response.write or some other way using ASP.

Is that right? Please


thanks
0
 
LVL 14

Accepted Solution

by:
CyrexCore2k earned 370 total points
ID: 17062092
akp yes that is correct. No matter what you do that will always be the case.

If you need a way to keep programmers from seeing users passwords yet still be able to create applications you could create a site to mimic the behavior of microsoft passport services. Programmers for the passport site would still be able to see passwords but programmers for any other application your company may develop would not.

Hope this helps
0
 
LVL 14

Expert Comment

by:dfu23
ID: 17062886
not true

if you effect the password (hash it or whatever) on the client side then the posted value will not be what the user entered ...
0
 
LVL 14

Assisted Solution

by:CyrexCore2k
CyrexCore2k earned 370 total points
ID: 17065528
dfu but essentially then that becomes the password because a programmer is most likely clever enough to know how to masquerade a page so that they can send the hashed password instead of the password and gaining access to that person's account.
0
 

Author Comment

by:akp007
ID: 17065744
All the comments were excellent . I appreciate your quick response

Best Regards
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Have you ever needed to get an ASP script to wait for a while? I have, just to let something else happen. Or in my case, to allow other stuff to happen while I was murdering my MySQL database with an update. The Original Issue This was written…
This demonstration started out as a follow up to some recently posted questions on the subject of logging in: http://www.experts-exchange.com/Programming/Languages/Scripting/JavaScript/Q_28634665.html and http://www.experts-exchange.com/Programming/…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question