Re: encrypted password

Discussion in 'MCAD' started by Davin Mickelson, Nov 17, 2003.

  1. On a side note, I don't believe you should be saving encrypted passwords in
    your database. Rather you should be saving hash representations of passwords
    of authenticated users that will be compared against user-submitted hashed
    passwords. Reverse cryptography is then eliminated. If you have access, take
    a look at how it is performed in Commerce Server 2002.

    Admittedly, I have no knowledge of the software you are developing or why
    you are developing it this way.

    Good luck,
    Davin Mickelson

    "asad" <> wrote in message
    news:077d01c3ab7f$b3a7a2d0$...
    hi,



    I am encountering problem while I am saving my Encrypted
    password (as byte) in SQLSERVER2000 using
    ASP.NET. Before saving to SQLSERVER on screen the
    Encrypted password is as follow:

    SY=

    After saving to SQLSERVER 2000 its become as follow:


    L?s




    Following line are showing the part of ASP.NET source file
    in order to save the Encrypted password
    in SQLSERVER 2000



    Dim encoder As New System.Text.UTF8Encoding()

    regsp.Parameters.Add(New SqlParameter("@userkey", _
    SqlDbType.VarChar, 50)).Value = encoder.GetString
    (Encrypted password in byes)



    Please help me!


    with regards,

    Asad


    Davin Mickelson, Nov 17, 2003
    #1
    1. Advertising

  2. Davin Mickelson

    Jay Walters Guest

    Yes, Good Point (Can't believe I didn't pick up on that -
    I'm kind of trendy about security Lol).

    Actually - Yes you should hash passwords and encrypt only
    credit card data (or other secure data that you'll need
    to retrieve later). Passwords are something you should
    never need to access as clear text. If you have
    a "retrieve your password" function for your end-users
    (like sending them a copy of their lost password) - you
    should really look at generating them a new password
    after they confirm their birth day and other personal
    info .. and then send it to their email on record.

    You should salt the hash with a piece of data that is
    unique to the user login such as their first login date -
    or even better add a guid column and assign a guid on
    account creation. - Hashing is good, but it's possible to
    create a hash dictionary of common passwords and try to
    find equal hash values. Salting the hashing will protect
    the data from easy attacks like this.

    Also - in terms of Asymmetric encryption, you should use
    the Rhijdeal algorithm and not TDES as many experts will
    point out.


    >-----Original Message-----
    >On a side note, I don't believe you should be saving

    encrypted passwords in
    >your database. Rather you should be saving hash

    representations of passwords
    >of authenticated users that will be compared against

    user-submitted hashed
    >passwords. Reverse cryptography is then eliminated. If

    you have access, take
    >a look at how it is performed in Commerce Server 2002.
    >
    >Admittedly, I have no knowledge of the software you are

    developing or why
    >you are developing it this way.
    >
    >Good luck,
    >Davin Mickelson
    >
    >"asad" <> wrote in

    message
    >news:077d01c3ab7f$b3a7a2d0$...
    >hi,
    >
    >
    >
    >I am encountering problem while I am saving my Encrypted
    >password (as byte) in SQLSERVER2000 using
    >ASP.NET. Before saving to SQLSERVER on screen the
    >Encrypted password is as follow:
    >
    >SY=
    >
    >After saving to SQLSERVER 2000 its become as follow:
    >
    >
    >L?s
    >
    >
    >
    >
    >Following line are showing the part of ASP.NET source

    file
    >in order to save the Encrypted password
    >in SQLSERVER 2000
    >
    >
    >
    >Dim encoder As New System.Text.UTF8Encoding()
    >
    >regsp.Parameters.Add(New SqlParameter("@userkey", _
    >SqlDbType.VarChar, 50)).Value = encoder.GetString
    >(Encrypted password in byes)
    >
    >
    >
    >Please help me!
    >
    >
    >with regards,
    >
    >Asad
    >
    >
    >
    >
    >
    >
    >
    >
    >.
    >
    Jay Walters, Nov 18, 2003
    #2
    1. Advertising

  3. Davin Mickelson

    Jay Walters Guest

    I meant symmetric not asymmetric.

    As an additional note; if you want to be extra hard core:

    They Key and IV that you'll need to generate for the
    symmetric algorithm should not be stored as bytes in your
    encrypt/decrypt functions .... rather you should print
    them out, (or burn a file to CD) and store it somewhere
    safe.

    You should build a helper application to store the bytes
    in the registry and encrypt the bytes using the DPAPI.
    Then your app can read from the registry, decrypt the
    bytes, and store in memory. Your functions would them get
    the clear bytes from memory... Why do all this? because
    your assembly can be easily rev-engineered.

    Hope this helps.





    >-----Original Message-----
    >Yes, Good Point (Can't believe I didn't pick up on that -


    >I'm kind of trendy about security Lol).
    >
    >Actually - Yes you should hash passwords and encrypt

    only
    >credit card data (or other secure data that you'll need
    >to retrieve later). Passwords are something you should
    >never need to access as clear text. If you have
    >a "retrieve your password" function for your end-users
    >(like sending them a copy of their lost password) - you
    >should really look at generating them a new password
    >after they confirm their birth day and other personal
    >info .. and then send it to their email on record.
    >
    >You should salt the hash with a piece of data that is
    >unique to the user login such as their first login date -


    >or even better add a guid column and assign a guid on
    >account creation. - Hashing is good, but it's possible

    to
    >create a hash dictionary of common passwords and try to
    >find equal hash values. Salting the hashing will protect
    >the data from easy attacks like this.
    >
    >Also - in terms of Asymmetric encryption, you should use
    >the Rhijdeal algorithm and not TDES as many experts will
    >point out.
    >
    >
    >>-----Original Message-----
    >>On a side note, I don't believe you should be saving

    >encrypted passwords in
    >>your database. Rather you should be saving hash

    >representations of passwords
    >>of authenticated users that will be compared against

    >user-submitted hashed
    >>passwords. Reverse cryptography is then eliminated. If

    >you have access, take
    >>a look at how it is performed in Commerce Server 2002.
    >>
    >>Admittedly, I have no knowledge of the software you are

    >developing or why
    >>you are developing it this way.
    >>
    >>Good luck,
    >>Davin Mickelson
    >>
    >>"asad" <> wrote in

    >message
    >>news:077d01c3ab7f$b3a7a2d0$...
    >>hi,
    >>
    >>
    >>
    >>I am encountering problem while I am saving my Encrypted
    >>password (as byte) in SQLSERVER2000 using
    >>ASP.NET. Before saving to SQLSERVER on screen the
    >>Encrypted password is as follow:
    >>
    >>SY=
    >>
    >>After saving to SQLSERVER 2000 its become as follow:
    >>
    >>
    >>L?s
    >>
    >>
    >>
    >>
    >>Following line are showing the part of ASP.NET source

    >file
    >>in order to save the Encrypted password
    >>in SQLSERVER 2000
    >>
    >>
    >>
    >>Dim encoder As New System.Text.UTF8Encoding()
    >>
    >>regsp.Parameters.Add(New SqlParameter("@userkey", _
    >>SqlDbType.VarChar, 50)).Value = encoder.GetString
    >>(Encrypted password in byes)
    >>
    >>
    >>
    >>Please help me!
    >>
    >>
    >>with regards,
    >>
    >>Asad
    >>
    >>
    >>
    >>
    >>
    >>
    >>
    >>
    >>.
    >>

    >.
    >
    Jay Walters, Nov 18, 2003
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Loose encrypted connection after re-boot

    , Dec 26, 2004, in forum: Wireless Networking
    Replies:
    0
    Views:
    458
  2. Joe K

    Lose encrypted connection after re-boot

    Joe K, Dec 27, 2004, in forum: Wireless Networking
    Replies:
    0
    Views:
    562
    Joe K
    Dec 27, 2004
  3. System Standby on Encrypted Network

    , Oct 21, 2005, in forum: Wireless Networking
    Replies:
    0
    Views:
    525
  4. ChigbuaUmuenu

    Decrypting an encrypted password

    ChigbuaUmuenu, Oct 30, 2006, in forum: MCAD
    Replies:
    3
    Views:
    1,199
    ChigbuaUmuenu
    Nov 3, 2006
  5. 05c6400

    invalid encrypted password:

    05c6400, Jul 1, 2009, in forum: Cisco
    Replies:
    0
    Views:
    1,555
    05c6400
    Jul 1, 2009
Loading...

Share This Page