Get Help:Ask a Question in our Forums|Report a Bug|More Help Resources
Last post Feb 23, 2013 02:50 AM by markfitzme
Feb 22, 2013 11:21 PM|LINK
I am writing a test project to understand the concept of hashing. I wonder, when I am hashing a password using the System.Security.Cryptography.HashAlgorithm class on an unencrypted iis server (http://) is the password initially sent across the network in
plaintext before being hashed by ASP.NET?
Also, is the method I tried below for hashing a password actually secure or do I need to do more? (Like add a salt or use a different algorithm?)
Code sample below:
protected void btnHash_Click(object sender, EventArgs e)
HashAlgorithm hashAlgorithm = HashAlgorithm.Create("SHA-512");
byte hashResult = hashAlgorithm.ComputeHash(Encoding.UTF8.GetBytes(txtBxHashThis.Text));
lblOutputOfHash.Text = Convert.ToBase64String(hashResult);
Feb 22, 2013 11:47 PM|LINK
You hash the user's initial password (so either auto-generated password or the one they choose/enter into your app). As for the API, use the built-in one from ASP.NET:
Also, SSL is mandatory -- how else can they send you the password securely?
Feb 23, 2013 02:50 AM|LINK
If you send something across an http connection than yes, it will be plain text since it's an unencrypted communication over http. The browser knows nothing about your hash so it couldn't hash it beforehand.
The more secure the better. If you add a salt, you must remember to store that salt with the user's account information so that you could validate the password later as you will need that salt to hash whatever they enter to compare against the stored hash.