?
Solved

Encrypt password - Client or Server side?

Posted on 2010-08-22
6
Medium Priority
?
915 Views
Last Modified: 2012-05-10
Hi!

I have  a website with Login system. How should I encrypt the password?

In C# code-behind (server side) or with Javascript (client-side)?

The connection is over HTTPS, but I think that still necessary encrypt the password, right?

Thanks in advance!
0
Comment
Question by:calypsoworld
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 42

Expert Comment

by:sedgwick
ID: 33495529
are you using WCF?
0
 

Author Comment

by:calypsoworld
ID: 33495572
> are you using WCF?

No.
0
 
LVL 52

Accepted Solution

by:
Carl Tawn earned 2000 total points
ID: 33495657
If it's passed over HTTPS then it will be encrypted before transport. If you want to store it at your end then you want to encrypt it server-side (if you try and do it client-side then all the information you use for encryption is going to be available to anyone, which kinda defeats the purpose). Although, if you're using the Membership provider then you can specify that passwords should be enrypted so you don't need to do it manually.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 8

Expert Comment

by:Fareed Ali Khan
ID: 33495990
Hi,

Password should be encrypted independent of HTTPS or not. Good approach is to encrypt the password from client side. Following are some of the libraries for encryption through JavaScript:

For MD5 (http://pajhome.org.uk/crypt/md5/)
For SHA1 (http://www.movable-type.co.uk/scripts/sha1.html)

For other (http://www.farfarfar.com/scripts/encrypt/)


Also you can use the .Net Cryptography Namespace libraries for encryption at server side.

0
 

Author Comment

by:calypsoworld
ID: 33607944
carl_tawn says that client-side encriptation defeats the purpose.

Farred says that client-side encriptation is a good approach.
0
 
LVL 52

Assisted Solution

by:Carl Tawn
Carl Tawn earned 2000 total points
ID: 33608014
I think Fareed is confusing encryption with hashing. MD5 and SHA1 are both hashing algorithms, not encryption algorithms. Hashing is a one way process, a hashed value cannot be un-hashed. Encryption on the other hand allows you to protect your data for storage or transport and allows it to be decrypted again in order to read the information.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction Hi all and welcome to my first article on Experts Exchange. A while ago, someone asked me if i could do some tutorials on object oriented programming. I decided to do them on C#. Now you may ask me, why's that? Well, one of the re…
IntroductionWhile developing web applications, a single page might contain many regions and each region might contain many number of controls with the capability to perform  postback. Many times you might need to perform some action on an ASP.NET po…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question