Last post Jun 25, 2010 06:54 PM by TATWORTH
Jun 24, 2010 10:52 AM|mehta.rahulit|LINK
I am using web (asp.net 3.5). c#
In my login form i accept username and password.
what is best way of fecthing username and password from user and saving in sqlserver in terms of security .
Is encription and decription only way? then how do i implement it?
Jun 24, 2010 11:45 AM|cmsrana|LINK
I don't think so that in login page it is required to save password in sql server. In login page just call a SQL SQEVER stored procedure which checks the username and password entered by user from front end with the one which stored in backend. Just return
the username and other details (not password) from the database if login succed else return failure message. you never retrive the password direcly from sql server
Jun 24, 2010 12:05 PM|mshoaiblibra|LINK
Read this for your information,
Jun 24, 2010 12:06 PM|tjaank|LINK
this may help:
Jun 24, 2010 12:32 PM|tugberk_ugurlu_|LINK
Are you using asp.net login control?
Is it for asp.net membership?
Jun 24, 2010 12:50 PM|Article|LINK
login page required to auth. the user .While sending the User name and password just connect to database and call the store procedure which take the parameters and check the user name and password enter by the user in UI .
For Strong password u can implement u r own password management policy.If u r storeing the pwd in data base in enc. formate using C#(using System.Security.Cryptography/...) or master key convept in sql server the while auth in login page
1)u should send the enc pwd that verify the enc pwd present in database table
2)u shand the plane pwd and verify the dec pwd present in database table.
Prasanta Kumar Pradhan
Jun 24, 2010 07:20 PM|tjaank|LINK
yes, my code is using asp.net login control
Jun 24, 2010 09:17 PM|Shailesh Patel|LINK
Option #1: You can store encrypted password in database
If some one(employee of the company/hacker) get the encrypted password and knows the what's algorithm used to encrypt the password, can easily decrypt the password. So It's not good for security point of view.
Option #2: You can store hash password in the database.
Once you store the password in hash format, no one can retrieve the password back in clear format. I would recommend this option to make your password rock solid.
For this option, When user types in userid, password, you have to convert the password in hash format and match that hash format with the hash format that stored in database. So in this case all the comparison will be done on hash format not in clear format.
And if you have "Forgot password" features, It's stored in hash format you can't retrieve user's password back in clear format and send an email to user. You have to regenerate the new password and before converting it into hash format you have to send an
email to user that password.
Hope this clears.
Jun 25, 2010 06:54 PM|TATWORTH|LINK
Passwords should always be stored as a hash and preferably using a method that includes say the id of the user's record. This will defeat an insider substituting the hash of their own password.