problem while using md5 for password encryption
-
hai all, i am using the below function for password encryption.here my password is changing into encrypted form,but i dont know how to check that encrypted form password with plain text password from database? because database contains plain text password.Please can anybody respond my question. i wanted to use md5 in my login page. I dont know exactly how to use it. Public Function MD5Encryption(ByVal passwd As String) As Byte Dim i As Integer Dim md5 As MD5CryptoServiceProvider = New MD5CryptoServiceProvider Dim hashedbytes As Byte() Dim textencoder As UTF8Encoding = New UTF8Encoding hashedbytes = md5.ComputeHash(textencoder.GetBytes(passwd)) md5.ComputeHash(textencoder.GetBytes(passwd)) Dim right As StringBuilder = New StringBuilder For i = 0 To hashedbytes.Length - 1 Step 1 right.Append(hashedbytes(i).ToString("x2")) Next i If (right.ToString() <> passwd) Then Response.Redirect("login.aspx") md5.Clear() Else Response.Redirect("index.html") End If End Function
kissy
-
hai all, i am using the below function for password encryption.here my password is changing into encrypted form,but i dont know how to check that encrypted form password with plain text password from database? because database contains plain text password.Please can anybody respond my question. i wanted to use md5 in my login page. I dont know exactly how to use it. Public Function MD5Encryption(ByVal passwd As String) As Byte Dim i As Integer Dim md5 As MD5CryptoServiceProvider = New MD5CryptoServiceProvider Dim hashedbytes As Byte() Dim textencoder As UTF8Encoding = New UTF8Encoding hashedbytes = md5.ComputeHash(textencoder.GetBytes(passwd)) md5.ComputeHash(textencoder.GetBytes(passwd)) Dim right As StringBuilder = New StringBuilder For i = 0 To hashedbytes.Length - 1 Step 1 right.Append(hashedbytes(i).ToString("x2")) Next i If (right.ToString() <> passwd) Then Response.Redirect("login.aspx") md5.Clear() Else Response.Redirect("index.html") End If End Function
kissy
What exactly are you trying to do? Why would you want to encrypt it and then compare it to an unencrypted password stored in the database as plain text? If you are going to do this then the passwords that are stored in the database will need to be encrypted too. SQL 2005 has built in encryption:http://www.sqlservercentral.com/articles/SQL+Server+2005+-+Security/sql2005symmetricencryption/2291/[^]
-
What exactly are you trying to do? Why would you want to encrypt it and then compare it to an unencrypted password stored in the database as plain text? If you are going to do this then the passwords that are stored in the database will need to be encrypted too. SQL 2005 has built in encryption:http://www.sqlservercentral.com/articles/SQL+Server+2005+-+Security/sql2005symmetricencryption/2291/[^]
thanks for ur reply.exactly u r correct.If stored the password in encrypted form in the database can anybody know whats the password is? if some use asking his forgotten password,then how can i tell immediately if i look at the databse. For security purpose i wanted to encrypt,but the concept of storing encrypted password in the databse may lead to some other problem? Pleas understand my question and answer me. Thans once again
kissy
-
thanks for ur reply.exactly u r correct.If stored the password in encrypted form in the database can anybody know whats the password is? if some use asking his forgotten password,then how can i tell immediately if i look at the databse. For security purpose i wanted to encrypt,but the concept of storing encrypted password in the databse may lead to some other problem? Pleas understand my question and answer me. Thans once again
kissy
Kissy16 wrote:
.If stored the password in encrypted form in the database can anybody know whats the password is?
You have some major issues. 1 - MD5 is a hash, NOT an encryption. Therefore, you have to apply MD5 to your entered password and see if the hashes match. 2 - MD5 is not very secure at all. It's better than plaintext, but not much good against a serious attacker. Your best bet is to add some salt, and hope they can't work out what that is
Kissy16 wrote:
but the concept of storing encrypted password in the databse may lead to some other problem?
The concept of storing your non encrypted password leads to the problem you're trying to avoid. No two ways about it. Try thinking this through, just a little.
Christian Graus Driven to the arms of OSX by Vista. "I am new to programming world. I have been learning c# for about past four weeks. I am quite acquainted with the fundamentals of c#. Now I have to work on a project which converts given flat files to XML using the XML serialization method" - SK64 ( but the forums have stuff like this posted every day )
-
thanks for ur reply.exactly u r correct.If stored the password in encrypted form in the database can anybody know whats the password is? if some use asking his forgotten password,then how can i tell immediately if i look at the databse. For security purpose i wanted to encrypt,but the concept of storing encrypted password in the databse may lead to some other problem? Pleas understand my question and answer me. Thans once again
kissy
How important is it that these passwords remain protected? Just remember that if somebody has access to your passwords within your database then they probably have access to all your other data too which makes it kinda pointless encrypting all your passwords.
-
How important is it that these passwords remain protected? Just remember that if somebody has access to your passwords within your database then they probably have access to all your other data too which makes it kinda pointless encrypting all your passwords.
thanks once again yes u r correct, 1)but the use may change his password in later.At that time is that sqlserver automatically convert the changed password into encrypt form. 2)No this time how do i know what user has changed? This is my question,i have no idea please guide me through ur knowedge. So please tell me the answer
kissy
-
hai all, i am using the below function for password encryption.here my password is changing into encrypted form,but i dont know how to check that encrypted form password with plain text password from database? because database contains plain text password.Please can anybody respond my question. i wanted to use md5 in my login page. I dont know exactly how to use it. Public Function MD5Encryption(ByVal passwd As String) As Byte Dim i As Integer Dim md5 As MD5CryptoServiceProvider = New MD5CryptoServiceProvider Dim hashedbytes As Byte() Dim textencoder As UTF8Encoding = New UTF8Encoding hashedbytes = md5.ComputeHash(textencoder.GetBytes(passwd)) md5.ComputeHash(textencoder.GetBytes(passwd)) Dim right As StringBuilder = New StringBuilder For i = 0 To hashedbytes.Length - 1 Step 1 right.Append(hashedbytes(i).ToString("x2")) Next i If (right.ToString() <> passwd) Then Response.Redirect("login.aspx") md5.Clear() Else Response.Redirect("index.html") End If End Function
kissy
hi..i m facing most of the same problem as u. my problem is that, i've taken any random number and encrypt it through md5 and store it in the database.. but while changing password, when i want to check that random number with that encrypted password(i've encrypted the random number) then the encryption of the random number is not same as that one which is stored in database. while checking, i m giving the random number through text box. i think(with my a bit knowledge), encryption of value of a variable will not be same as encryption of the same value entered by the textbox. it can be some database problem also....i dont know.... i m sure that my coding is correct