Solved

Encrypt password - Client or Server side?

Posted on 2010-08-22
6
883 Views
Last Modified: 2012-05-10
Hi!

I have  a website with Login system. How should I encrypt the password?

In C# code-behind (server side) or with Javascript (client-side)?

The connection is over HTTPS, but I think that still necessary encrypt the password, right?

Thanks in advance!
0
Comment
Question by:calypsoworld
6 Comments
 
LVL 42

Expert Comment

by:sedgwick
ID: 33495529
are you using WCF?
0
 

Author Comment

by:calypsoworld
ID: 33495572
> are you using WCF?

No.
0
 
LVL 52

Accepted Solution

by:
Carl Tawn earned 500 total points
ID: 33495657
If it's passed over HTTPS then it will be encrypted before transport. If you want to store it at your end then you want to encrypt it server-side (if you try and do it client-side then all the information you use for encryption is going to be available to anyone, which kinda defeats the purpose). Although, if you're using the Membership provider then you can specify that passwords should be enrypted so you don't need to do it manually.
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 8

Expert Comment

by:Fareed Ali Khan
ID: 33495990
Hi,

Password should be encrypted independent of HTTPS or not. Good approach is to encrypt the password from client side. Following are some of the libraries for encryption through JavaScript:

For MD5 (http://pajhome.org.uk/crypt/md5/)
For SHA1 (http://www.movable-type.co.uk/scripts/sha1.html)

For other (http://www.farfarfar.com/scripts/encrypt/)


Also you can use the .Net Cryptography Namespace libraries for encryption at server side.

0
 

Author Comment

by:calypsoworld
ID: 33607944
carl_tawn says that client-side encriptation defeats the purpose.

Farred says that client-side encriptation is a good approach.
0
 
LVL 52

Assisted Solution

by:Carl Tawn
Carl Tawn earned 500 total points
ID: 33608014
I think Fareed is confusing encryption with hashing. MD5 and SHA1 are both hashing algorithms, not encryption algorithms. Hashing is a one way process, a hashed value cannot be un-hashed. Encryption on the other hand allows you to protect your data for storage or transport and allows it to be decrypted again in order to read the information.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
C# Error - Add Failed 12 78
How to Decrypt in C# a string that is encrypted with Coldfusion Encrypt(string, seed) function 11 62
Error in query expression 3 31
SQL Exceptions 3 35
Introduction Hi all and welcome to my first article on Experts Exchange. A while ago, someone asked me if i could do some tutorials on object oriented programming. I decided to do them on C#. Now you may ask me, why's that? Well, one of the re…
Introduction This article shows how to use the open source plupload control to upload multiple images. The images are resized on the client side before uploading and the upload is done in chunks. Background I had to provide a way for user…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now