|
How to hash passwords for storage (ASP.Net) |
|
|
Written by: Justin Rich
How to hash passwords for storageContent: Using FormsAuthentication for hashing a password before storing in it potentially public places
Keywords: Security, Hashing, ASP.Net
Passwords are very important to internet security and can become comprimised through various methods. In all reality, you shouldn't even be able to see user's passwords as the admin. You should be hashing them before even storing them to your database tables. You really should never keep plain text sensitive data anywhere. For password security, a hash is the best method because you never need to unencrypt the string. You basically just want to hash it so if the value stored is seen, there is no way of determining the base value that created it. You don't need to unecrypt it because you can use the exact same hash function to see if the value is the same as the stored hash value, eliminating the security risk. In addition to this, you should also place a count on the login attempts so that nobody can write scripts to test all variations of passwords to get around this.
When you create your "New User" form, you will want to take the input field for password and hash it. Be sure to put the correct input type on the field so that the text is invisible as well and comes up as bullet points instead of plain text. In straight HTML, a simple <input type=password> is used, but in .Net, you'll do a Textbox control and the password option is part of the TextMode... for example: <asp:TextBox id="txtPasscode" Runat="server" TextMode="Password"></asp:TextBox> And remember... always ALWAYS use a max length on input fields.
From that input point, you can do this:
Dim strPass as String = FormsAuthentication.HashPasswordForStoringInConfigFile(txtPasscode.Text, "sha1")
In the example, the sha1 is the key to which you are using for the hash. This is not a key that can be used to undo the encryption because there is not one. This is simply the key code to encrypt by and you have to use the same one when you're doing the comparison. This makes the encryption unique to any program because you can use your own key rather than ones that are hard coded into the .Net framework. That would be a security risk itself.
Once that is done, strPass can be stored in your database or as a cookie on the client because it is 100% safe at that point. In order to validate the users password, you'll need to take the password that they're inputting on your log-in form and hash it with the exact same method above and then compare the hashed values. If they match, it's good, if not, they're not. This way, there is never any pulling or transferring of an actual password from a public place. If you're doing very sensitive information, I suggest getting an SSL for transferring data.
For instructions for saving it to a cookie, see my follow up article: How to store cookies (ASP.Net) -> http://www.stellarpc.com/articles/board.aspx?id=30
|
|
|
|
|
|