Last post Mar 28, 2012 11:29 AM by TATWORTH
Mar 23, 2012 12:22 PM|chandradev1|LINK
I have written the code like this for this task? Could you review my code, is it secure or not ?
public class EncryptionTest
public static string Encrypt(string strPassword)
FormsAuthenticationTicket Ftk = new FormsAuthenticationTicket(strPassword, false, 500);
public static string Decrypt(string encryptedString)
FormsAuthenticationTicket Ftk = FormsAuthentication.Decrypt(encryptedString);
Mar 23, 2012 03:11 PM|mm10|LINK
Well, the password can easily be decrypted. You should consider storing one-way hashvalues which cannot be decrypted. There are some secure hashing algorithms such as MD5 and SHA1 that can be used for this. See
Mar 26, 2012 04:20 AM|chandradev1|LINK
could you explain me, how the passwrd can be easily decrypted ?
Mar 28, 2012 08:35 AM|niceastham|LINK
Well if the key used to encrypt the password is comprimised, every single password can then be read by using it to decrypt ... and (someone correct me if i am wrong) i think the key used by the FormsAuthentication class is stored in the web config and therefore
readable if someone was to gain access to it.
It is best practice to salt and hash the password. Hashing is irreversible meaning the password can never be read. Adding a salt value (random set of characters) to the beginning of the password before hashing also means that any brute force attack on your
passwords would take hundreds of times longer to work.
Then we you are testing a users credentials, you retrieve the salt value and hashed password from the table in the database. You then add the salt value to the password that the user has just typed and hash it. If the the database hashed password matches
that of the newly hashed string then the passwords match.
Using this method, a user can never retrieve their password. It can only be reset.
If this doesnt make sense (as i am in a rush), google 'salt hash password'.
Anymore questions, just let me know.
Mar 28, 2012 08:53 AM|chandradev1|LINK
Thanks for sending nice reply. I completely agree with you. I also think this one is the best approach to store sensitive data in database. In this approach hacker canot detect the salt value so it will be very difficult to crack the password.
If you have some more good and secure approach the let me know. I m so much interested to learn.
Mar 28, 2012 11:29 AM|TATWORTH|LINK
Hashing passwords is definetly the way to go. One point MD5 is now discredited. SHA256 or SHA512 should be used. One further point to use of a hash is to make the salt not just some random string but to also include the id of the user. (The id is an immutable
value that should be assigned by the database). This makes transposition attacks virtually impossible as the same plain text password will hash differently for each user. For an example of this see http://commonlogon.codeplex.com/