I am supporting an application in my organization and after they scan it they said it sending the password as clear text. Is there any way to fix this issue?
the application description:
taking the username and old password and new password from form and replace the old password. it is also reading the database name from list.
I am supporting an application in my organization and after they scan it they said it sending the password as clear text. Is there any way to fix this issue?
On which network connections is it in plaintext? You need to be concerned about brower->server but also server->database. You would solve both by using SSL for both of those network connections (or IPSec from server->database).
Miss .Net
0 Points
24 Posts
sending password as clear text. please help
Dec 01, 2012 05:53 AM|LINK
good morning
I am supporting an application in my organization and after they scan it they said it sending the password as clear text. Is there any way to fix this issue?
the application description:
taking the username and old password and new password from form and replace the old password. it is also reading the database name from list.
NOTE: the framwork version is ASP.net 2.0
the below is my code:
using
System;
using
System.Configuration;
using
System.Data;
//using System.Linq;
using
System.Web;
using
System.Web.Security;
using
System.Web.UI;
using
System.Web.UI.HtmlControls;
using
System.Web.UI.WebControls;
using
System.Web.UI.WebControls.WebParts;
//using System.Xml.Linq;
//using Oracle.DataAccess.Client;
//using Oracle.DataAccess.Types;
using
System.Data.OracleClient;
public
partial class _Default : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
string loginUser = Request.ServerVariables.Get("LOGON_USER");
loginUser = loginUser.Replace(
"Domain\\", "");
lblUserId.Text = loginUser;
////
txtConfirmPassword.ValidationGroup =
"passValidation";
txtNewPassword.ValidationGroup =
"passValidation";
txtOldPassword.ValidationGroup =
"passValidation";
RequiredFieldValidatorConfirmPass.ValidationGroup =
"passValidation";
RequiredFieldValidatorNewPass.ValidationGroup =
"passValidation";
RequiredFieldValidatorOldPass.ValidationGroup =
"passValidation";
CompareValidator1.ValidationGroup =
"passValidation";
RegularExpressionValidatorPassComplexity.ValidationGroup =
"passValidation";
btnChange.ValidationGroup =
"passValidation";
ValidationSummary1.ValidationGroup =
"passValidation";
}
protected void btnChange_Click(object sender, EventArgs e)
{
lblResult.Text =
""; //clear previous result if any
System.Data.OracleClient.OracleConnection conn =
new System.Data.OracleClient.OracleConnection();
conn.ConnectionString =
"User ID=" + lblUserId.Text + ";Integrated Security='false';Password=" + txtOldPassword.Text + ";Data Source=" + ddlOracleServer.SelectedValue + ";";
try
{
conn.Open();
//string strSql = ("alter user user identified by \"pass.4$\" replace \"Test.4$\"");
string strSql = "alter user " + lblUserId.Text + " identified by \"" + txtNewPassword.Text + "\" replace \"" + txtOldPassword.Text + "\"";
System.Data.OracleClient.OracleCommand cmd2 =
new System.Data.OracleClient.OracleCommand(strSql, conn);
cmd2.CommandType =
CommandType.Text;
int x = cmd2.ExecuteNonQuery();
lblResult.Text =
"Your password has been changed successfully.";
resetControls();
}
catch (Exception ex)
{
lblResult.Text = ex.Message;
}
}
private void resetControls()
{
txtConfirmPassword.Text =
"";
txtNewPassword.Text =
"";
txtOldPassword.Text =
"";
ddlOracleServer.SelectedIndex = 0;
}
}
Shailendra S...
Member
551 Points
145 Posts
Re: sending password as clear text. please help
Dec 01, 2012 11:42 AM|LINK
You can use encryption and decryption.
http://www.codeproject.com/Questions/449070/How-to-encrypt-and-Decrypt-the-password-entering-i
www.techaray.com
Miss .Net
0 Points
24 Posts
Re: sending password as clear text. please help
Dec 01, 2012 02:14 PM|LINK
BrockAllen
All-Star
27520 Points
4900 Posts
MVP
Re: sending password as clear text. please help
Dec 01, 2012 04:04 PM|LINK
On which network connections is it in plaintext? You need to be concerned about brower->server but also server->database. You would solve both by using SSL for both of those network connections (or IPSec from server->database).
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/