Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 940
  • Last Modified:

Encrypt password - Client or Server side?

Hi!

I have  a website with Login system. How should I encrypt the password?

In C# code-behind (server side) or with Javascript (client-side)?

The connection is over HTTPS, but I think that still necessary encrypt the password, right?

Thanks in advance!
0
calypsoworld
Asked:
calypsoworld
2 Solutions
 
Meir RivkinFull stack Software EngineerCommented:
are you using WCF?
0
 
calypsoworldAuthor Commented:
> are you using WCF?

No.
0
 
Carl TawnSystems and Integration DeveloperCommented:
If it's passed over HTTPS then it will be encrypted before transport. If you want to store it at your end then you want to encrypt it server-side (if you try and do it client-side then all the information you use for encryption is going to be available to anyone, which kinda defeats the purpose). Although, if you're using the Membership provider then you can specify that passwords should be enrypted so you don't need to do it manually.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
Fareed Ali KhanCommented:
Hi,

Password should be encrypted independent of HTTPS or not. Good approach is to encrypt the password from client side. Following are some of the libraries for encryption through JavaScript:

For MD5 (http://pajhome.org.uk/crypt/md5/)
For SHA1 (http://www.movable-type.co.uk/scripts/sha1.html)

For other (http://www.farfarfar.com/scripts/encrypt/)


Also you can use the .Net Cryptography Namespace libraries for encryption at server side.

0
 
calypsoworldAuthor Commented:
carl_tawn says that client-side encriptation defeats the purpose.

Farred says that client-side encriptation is a good approach.
0
 
Carl TawnSystems and Integration DeveloperCommented:
I think Fareed is confusing encryption with hashing. MD5 and SHA1 are both hashing algorithms, not encryption algorithms. Hashing is a one way process, a hashed value cannot be un-hashed. Encryption on the other hand allows you to protect your data for storage or transport and allows it to be decrypted again in order to read the information.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now