Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 271
  • Last Modified:

Secure way of passing / inserting password in Database - ASP

Dear Experts-

Let me explain the scenario first

I have login form with Userid and Password. Once the user enters userid and password, as a programmer I can know what is the value of the password user entered.

I would like to know if there is a way that the password can not be read even by the programmer and get the password in an encrypted way and send it to the database and save it


Regards

0
akp007
Asked:
akp007
  • 3
  • 3
  • 2
  • +1
6 Solutions
 
wesbirdCommented:
Hash the passwords - here's an example: http://www.15seconds.com/issue/000217.htm

Use an algorithm like SHA256 or MD5 to generate a hash of the password and store that in the database instead.

0
 
wesbirdCommented:
0
 
wesbirdCommented:
Another useful resource: http://www.frez.co.uk/freecode.htm#md5
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
dfu23Commented:
1. use HTTPS as the protocol for secure/encrypted transmission of the data
2. hash the password using client-side javascript to hash the password before it is submitted and store the hash in the DB
0
 
CyrexCore2kCommented:
akp

The above suggestions are good but if you want the best possible solution I would recommend using a combination of RC4 and MD5 encryption schemes.

Here's how your webpage should authenticate.

User requests login page
Server generates two random character strings and stores them in a database table. One string we'll refer to as the key and the other we'll refer to as the mask.
The login page is generated by the server with a hidden field containing the key value. The mask value is also placed into a javascript variable but is _not_ to be submitted by the form.
The user enters in their username and password and clicks submit.
A piece of javascript code runs an RC4 algorithm on the password using the mask.
The encrypted password and the key are sent to the server.
The server finds the mask using the key value.
The server then decrypts the password using the mask found in the database.
The server deletes the record of the key and the mask.
The server then generates a password hash using MD5 and compares it against the database value
From there the user is either granted or denied access.

This is the best possible free solution without using SSL. While SSL would be the absolute best solution instead of the RC4 steps I showed you it costs quite a bit of money to get a certificate from a trusted CA. (Although if you want to just make your own CA that's an option as well.)

This solution takes care of the two weakest points in security. Your password is not sent in plain text and your password is not stored in plain text. While this doesn't mean this solution is fool proof it's about as secure as you can get without using SSL.
0
 
akp007Author Commented:
Thank you for all quick responses. I still have a small doubt. This may be dumb. But I want to get the clarification

All the suggestion and advice that you have provided to me are, Once the user submits the form, then we capture the password and encrypt that. But as a programmer, before I do the encryption, I can still see the password that user entered , if I want to right? using response.write or some other way using ASP.

Is that right? Please


thanks
0
 
CyrexCore2kCommented:
akp yes that is correct. No matter what you do that will always be the case.

If you need a way to keep programmers from seeing users passwords yet still be able to create applications you could create a site to mimic the behavior of microsoft passport services. Programmers for the passport site would still be able to see passwords but programmers for any other application your company may develop would not.

Hope this helps
0
 
dfu23Commented:
not true

if you effect the password (hash it or whatever) on the client side then the posted value will not be what the user entered ...
0
 
CyrexCore2kCommented:
dfu but essentially then that becomes the password because a programmer is most likely clever enough to know how to masquerade a page so that they can send the hashed password instead of the password and gaining access to that person's account.
0
 
akp007Author Commented:
All the comments were excellent . I appreciate your quick response

Best Regards
0

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

  • 3
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now