I am writing a test project to understand the concept of hashing. I wonder, when I am hashing a password using the System.Security.Cryptography.HashAlgorithm class on an unencrypted iis server (http://) is the password initially sent across the network in
plaintext before being hashed by ASP.NET?
Also, is the method I tried below for hashing a password actually secure or do I need to do more? (Like add a salt or use a different algorithm?)
You hash the user's initial password (so either auto-generated password or the one they choose/enter into your app). As for the API, use the built-in one from ASP.NET:
If you send something across an http connection than yes, it will be plain text since it's an unencrypted communication over http. The browser knows nothing about your hash so it couldn't hash it beforehand.
The more secure the better. If you add a salt, you must remember to store that salt with the user's account information so that you could validate the password later as you will need that salt to hash whatever they enter to compare against the stored hash.
Don't forget to mark useful responses as Answer if they helped you towards a solution.
Spitfire19
0 Points
1 Post
Is a password initially sent in plaintext when hashing in ASP.NET?
Feb 22, 2013 11:21 PM|LINK
I am writing a test project to understand the concept of hashing. I wonder, when I am hashing a password using the System.Security.Cryptography.HashAlgorithm class on an unencrypted iis server (http://) is the password initially sent across the network in plaintext before being hashed by ASP.NET?
Also, is the method I tried below for hashing a password actually secure or do I need to do more? (Like add a salt or use a different algorithm?)
Code sample below:
protected void btnHash_Click(object sender, EventArgs e) { HashAlgorithm hashAlgorithm = HashAlgorithm.Create("SHA-512"); byte[] hashResult = hashAlgorithm.ComputeHash(Encoding.UTF8.GetBytes(txtBxHashThis.Text)); lblOutputOfHash.Text = Convert.ToBase64String(hashResult); }BrockAllen
All-Star
27574 Points
4912 Posts
MVP
Re: Is a password initially sent in plaintext when hashing in ASP.NET?
Feb 22, 2013 11:47 PM|LINK
You hash the user's initial password (so either auto-generated password or the one they choose/enter into your app). As for the API, use the built-in one from ASP.NET:
http://brockallen.com/2012/10/19/password-management-made-easy-in-asp-net-with-the-crypto-api/
Also, SSL is mandatory -- how else can they send you the password securely?
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
markfitzme
Star
14495 Points
2243 Posts
Re: Is a password initially sent in plaintext when hashing in ASP.NET?
Feb 23, 2013 02:50 AM|LINK
If you send something across an http connection than yes, it will be plain text since it's an unencrypted communication over http. The browser knows nothing about your hash so it couldn't hash it beforehand.
The more secure the better. If you add a salt, you must remember to store that salt with the user's account information so that you could validate the password later as you will need that salt to hash whatever they enter to compare against the stored hash.