Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Encrypt password - Client or Server side?

Posted on 2010-08-22
6
Medium Priority
?
926 Views
Last Modified: 2012-05-10
Hi!

I have  a website with Login system. How should I encrypt the password?

In C# code-behind (server side) or with Javascript (client-side)?

The connection is over HTTPS, but I think that still necessary encrypt the password, right?

Thanks in advance!
0
Comment
Question by:calypsoworld
6 Comments
 
LVL 42

Expert Comment

by:Meir Rivkin
ID: 33495529
are you using WCF?
0
 

Author Comment

by:calypsoworld
ID: 33495572
> are you using WCF?

No.
0
 
LVL 52

Accepted Solution

by:
Carl Tawn earned 2000 total points
ID: 33495657
If it's passed over HTTPS then it will be encrypted before transport. If you want to store it at your end then you want to encrypt it server-side (if you try and do it client-side then all the information you use for encryption is going to be available to anyone, which kinda defeats the purpose). Although, if you're using the Membership provider then you can specify that passwords should be enrypted so you don't need to do it manually.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 8

Expert Comment

by:Fareed Ali Khan
ID: 33495990
Hi,

Password should be encrypted independent of HTTPS or not. Good approach is to encrypt the password from client side. Following are some of the libraries for encryption through JavaScript:

For MD5 (http://pajhome.org.uk/crypt/md5/)
For SHA1 (http://www.movable-type.co.uk/scripts/sha1.html)

For other (http://www.farfarfar.com/scripts/encrypt/)


Also you can use the .Net Cryptography Namespace libraries for encryption at server side.

0
 

Author Comment

by:calypsoworld
ID: 33607944
carl_tawn says that client-side encriptation defeats the purpose.

Farred says that client-side encriptation is a good approach.
0
 
LVL 52

Assisted Solution

by:Carl Tawn
Carl Tawn earned 2000 total points
ID: 33608014
I think Fareed is confusing encryption with hashing. MD5 and SHA1 are both hashing algorithms, not encryption algorithms. Hashing is a one way process, a hashed value cannot be un-hashed. Encryption on the other hand allows you to protect your data for storage or transport and allows it to be decrypted again in order to read the information.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Just a quick little trick I learned recently.  Now that I'm using jQuery with abandon in my asp.net applications, I have grown tired of the following syntax:      (CODE) I suppose it just offends my sense of decency to put inline VBScript on a…
Introduction This article shows how to use the open source plupload control to upload multiple images. The images are resized on the client side before uploading and the upload is done in chunks. Background I had to provide a way for user…
Loops Section Overview
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
Suggested Courses

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question