mike55 Posted August 25, 2004 Posted August 25, 2004 Ok, when i add a new employee to the system, must add their password into the form on two different password fields (i.e, this allows me to verify that they are the same password and check that the user entered data). When the user selects the save button, the password is save as plaintext in the SQL database. If the user forgets their password, they simple have to click on a "forget password" button which will send a copy of their password to their specified email address. As an additional layer of security, i am thinking of adding another field to the form, whereby the user would have to enter their public pgp key which would then be stored in the database. Therefore if the user clicked on the "forget password" field they would then get the password they enter at the start but it would be encrypted with the users public key so only they could get the password. I am possible making this too complex, so i would appreciate it if anyone could suggest a more simple approach (but i still need it pretty secure). Was using hash codes but they don't give me the flexibility to do what i want. Mike55. Quote A Client refers to the person who incurs the development cost. A Customer refers to the person that pays to use the product. ------ My software never has bugs. It just develops random features. (Mosabama vbforums.com)
Administrators PlausiblyDamp Posted August 25, 2004 Administrators Posted August 25, 2004 I wouldn't store passwords as plaintext ever. You are much better storing a hash of the password and when the user enters a password hash it and compare hashes - this way you never store a plaintext password or any form that can be reversed. Rather than sending out their password why not get them to also provide a security question and answer - if they get it right generate a new password and send that to their e-mail and force them to change it on next login. Quote Posting Guidelines FAQ Post Formatting Intellectuals solve problems; geniuses prevent them. -- Albert Einstein
mike55 Posted August 26, 2004 Author Posted August 26, 2004 I wouldn't store passwords as plaintext ever. You are much better storing a hash of the password and when the user enters a password hash it and compare hashes - this way you never store a plaintext password or any form that can be reversed. Rather than sending out their password why not get them to also provide a security question and answer - if they get it right generate a new password and send that to their e-mail and force them to change it on next login. Ok, will take your suggestion as an example. When the user hits the forgot password button, i can either send them to a new page to answer the question, alternatively i could make the question, textfield and an ok button visible on the current page. The third option could involve using a input dialog, that would appear with the question and a ok/cancel button. It is the third option that i would like to try, unfortunately i have never seen anything that resembles a input dialog in ASP.net. The one option would be to use javascript to create the input dialog, but how would i get the value entered in the javascript input dialog back to an asp.net variable. Mike55 Quote A Client refers to the person who incurs the development cost. A Customer refers to the person that pays to use the product. ------ My software never has bugs. It just develops random features. (Mosabama vbforums.com)
bri189a Posted August 26, 2004 Posted August 26, 2004 (edited) You are much better storing a hash of the password and when the user enters a password hash it and compare hashes - this way you never store a plaintext password or any form that can be reversed. So there isn't a way to revert back from a hashed value? EX: string input; int converted; Console.WriteLine("Enter a name to hash:"); input = Console.ReadLine(); converted = input.GetHashCode(); Console.WriteLine("Result: {0}", converted); Console.ReadLine(); So that number can never be converted back to the string I entered? There has to be some way to reverse it...but is there a way that anybody knows about? What else can you do to make it more secure? Would: converted = username.GetHashCode() ^ password.GetHashCode(); if(converted==test) return ok; Be good for making things more secure? Trying to learn. Edited August 26, 2004 by bri189a Quote
Administrators PlausiblyDamp Posted August 26, 2004 Administrators Posted August 26, 2004 The whole point of a hash is that it is a one way transform. Rather than use the GetHashCode method (this doesn't return a cryptographically sound hash, it returns a more simple value for use with things like the HashTable class) you would want to consider one of the classes under system.Security.Cryptography (one of the SHA or MD5 might be a good choice - although it's worth reading up on cryptography in general if security is a serious concern in your application) Quote Posting Guidelines FAQ Post Formatting Intellectuals solve problems; geniuses prevent them. -- Albert Einstein
bri189a Posted August 30, 2004 Posted August 30, 2004 I think a general hash will suffice for my current needs...thanks to this post I have changed all my pages from storing plain text passwords (I knew it was bad but I didn't know a feasible work around - thanks!) to hash values. Again tight security isn't a super concern of mine for my few web apps, but more for general discussion, if a the hash of 'bri189a' always comes out to the same int, then there is a mathematical formula behind it that can be reveresed...as far as you know has anyone came up with it? Does anyone know the figures on how long it would take to compute (i.e. like a password hacker program would take 6 billion tries to find the right combination of letters to get a 14 character password). Thanks PD! Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.