Solved

Encrypt password - Client or Server side?

Posted on 2010-08-22
6
902 Views
Last Modified: 2012-05-10
Hi!

I have  a website with Login system. How should I encrypt the password?

In C# code-behind (server side) or with Javascript (client-side)?

The connection is over HTTPS, but I think that still necessary encrypt the password, right?

Thanks in advance!
0
Comment
Question by:calypsoworld
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 42

Expert Comment

by:sedgwick
ID: 33495529
are you using WCF?
0
 

Author Comment

by:calypsoworld
ID: 33495572
> are you using WCF?

No.
0
 
LVL 52

Accepted Solution

by:
Carl Tawn earned 500 total points
ID: 33495657
If it's passed over HTTPS then it will be encrypted before transport. If you want to store it at your end then you want to encrypt it server-side (if you try and do it client-side then all the information you use for encryption is going to be available to anyone, which kinda defeats the purpose). Although, if you're using the Membership provider then you can specify that passwords should be enrypted so you don't need to do it manually.
0
[Live Webinar] The Cloud Skills Gap

As Cloud technologies come of age, business leaders grapple with the impact it has on their team's skills and the gap associated with the use of a cloud platform.

Join experts from 451 Research and Concerto Cloud Services on July 27th where we will examine fact and fiction.

 
LVL 8

Expert Comment

by:Fareed Ali Khan
ID: 33495990
Hi,

Password should be encrypted independent of HTTPS or not. Good approach is to encrypt the password from client side. Following are some of the libraries for encryption through JavaScript:

For MD5 (http://pajhome.org.uk/crypt/md5/)
For SHA1 (http://www.movable-type.co.uk/scripts/sha1.html)

For other (http://www.farfarfar.com/scripts/encrypt/)


Also you can use the .Net Cryptography Namespace libraries for encryption at server side.

0
 

Author Comment

by:calypsoworld
ID: 33607944
carl_tawn says that client-side encriptation defeats the purpose.

Farred says that client-side encriptation is a good approach.
0
 
LVL 52

Assisted Solution

by:Carl Tawn
Carl Tawn earned 500 total points
ID: 33608014
I think Fareed is confusing encryption with hashing. MD5 and SHA1 are both hashing algorithms, not encryption algorithms. Hashing is a one way process, a hashed value cannot be un-hashed. Encryption on the other hand allows you to protect your data for storage or transport and allows it to be decrypted again in order to read the information.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Entity Framework is a powerful tool to help you interact with the DataBase but still doesn't help much when we have a Stored Procedure that returns more than one resultset. The solution takes some of out-of-the-box thinking; read on!
Calculating holidays and working days is a function that is often needed yet it is not one found within the Framework. This article presents one approach to building a working-day calculator for use in .NET.
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question