encryption/decrption problem
-
hai all, am using the following code for encryption and decryption for a password field. But when am testing this with TamperIE for web security,there the password is showing in plian text,so any hacker can do anything, My code is Private Function Decrypt(ByVal myString As String) As String cryptDES3.Key = cryptMD5Hash.ComputeHash(ASCIIEncoding.ASCII.GetBytes(Session("salt"))) cryptDES3.Mode = CipherMode.ECB Dim desdencrypt As ICryptoTransform = cryptDES3.CreateDecryptor() Dim buff() As Byte = Convert.FromBase64String(myString) Decrypt = ASCIIEncoding.ASCII.GetString(desdencrypt.TransformFinalBlock(buff, 0, buff.Length)) End Function Private Function Encrypt(ByVal myString As String) As String cryptDES3.Key = cryptMD5Hash.ComputeHash(ASCIIEncoding.ASCII.GetBytes(session("salt"))) cryptDES3.Mode = CipherMode.ECB Dim desdencrypt As ICryptoTransform = cryptDES3.CreateEncryptor() Dim MyASCIIEncoding = New ASCIIEncoding Dim buff() As Byte = ASCIIEncoding.ASCII.GetBytes(myString) Encrypt = Convert.ToBase64String(desdencrypt.TransformFinalBlock(buff, 0, buff.Length)) End Function The above code is am calling on pageload like txt_password.text=encrypt(txt_password.text) str=decrypt(txt_password.text) It is working perfectly. But if i tested with TamperIE it is showing plian text.Then how to do this?What i have to use,so that it should not show in plain text for the end user??? Sorry if i disturb u,please let me now the answer
kissy
-
hai all, am using the following code for encryption and decryption for a password field. But when am testing this with TamperIE for web security,there the password is showing in plian text,so any hacker can do anything, My code is Private Function Decrypt(ByVal myString As String) As String cryptDES3.Key = cryptMD5Hash.ComputeHash(ASCIIEncoding.ASCII.GetBytes(Session("salt"))) cryptDES3.Mode = CipherMode.ECB Dim desdencrypt As ICryptoTransform = cryptDES3.CreateDecryptor() Dim buff() As Byte = Convert.FromBase64String(myString) Decrypt = ASCIIEncoding.ASCII.GetString(desdencrypt.TransformFinalBlock(buff, 0, buff.Length)) End Function Private Function Encrypt(ByVal myString As String) As String cryptDES3.Key = cryptMD5Hash.ComputeHash(ASCIIEncoding.ASCII.GetBytes(session("salt"))) cryptDES3.Mode = CipherMode.ECB Dim desdencrypt As ICryptoTransform = cryptDES3.CreateEncryptor() Dim MyASCIIEncoding = New ASCIIEncoding Dim buff() As Byte = ASCIIEncoding.ASCII.GetBytes(myString) Encrypt = Convert.ToBase64String(desdencrypt.TransformFinalBlock(buff, 0, buff.Length)) End Function The above code is am calling on pageload like txt_password.text=encrypt(txt_password.text) str=decrypt(txt_password.text) It is working perfectly. But if i tested with TamperIE it is showing plian text.Then how to do this?What i have to use,so that it should not show in plain text for the end user??? Sorry if i disturb u,please let me now the answer
kissy
Kissy16 wrote:
am using the following code for encryption and decryption for a password field.
Password fields should be stored as a one-way salted hash value (e.g. SHA256). That way you (or a hacker) can never get them back. When you want to check that a password matches then you create a salted hash of what the user typed and compare the two hashed values.
Kissy16 wrote:
But if i tested with TamperIE it is showing plian text
At what point is it showing plain text. What the user types in will be in plain text until you encrypt it.
-
hai all, am using the following code for encryption and decryption for a password field. But when am testing this with TamperIE for web security,there the password is showing in plian text,so any hacker can do anything, My code is Private Function Decrypt(ByVal myString As String) As String cryptDES3.Key = cryptMD5Hash.ComputeHash(ASCIIEncoding.ASCII.GetBytes(Session("salt"))) cryptDES3.Mode = CipherMode.ECB Dim desdencrypt As ICryptoTransform = cryptDES3.CreateDecryptor() Dim buff() As Byte = Convert.FromBase64String(myString) Decrypt = ASCIIEncoding.ASCII.GetString(desdencrypt.TransformFinalBlock(buff, 0, buff.Length)) End Function Private Function Encrypt(ByVal myString As String) As String cryptDES3.Key = cryptMD5Hash.ComputeHash(ASCIIEncoding.ASCII.GetBytes(session("salt"))) cryptDES3.Mode = CipherMode.ECB Dim desdencrypt As ICryptoTransform = cryptDES3.CreateEncryptor() Dim MyASCIIEncoding = New ASCIIEncoding Dim buff() As Byte = ASCIIEncoding.ASCII.GetBytes(myString) Encrypt = Convert.ToBase64String(desdencrypt.TransformFinalBlock(buff, 0, buff.Length)) End Function The above code is am calling on pageload like txt_password.text=encrypt(txt_password.text) str=decrypt(txt_password.text) It is working perfectly. But if i tested with TamperIE it is showing plian text.Then how to do this?What i have to use,so that it should not show in plain text for the end user??? Sorry if i disturb u,please let me now the answer
kissy
Actually, I read some advice recently that suggested that it is better to move authentication over to a dedicated service that can implement it better than you can. I've since started using OpenID as the authentication mechanism for my websites so I never have to store passwords again. You might want to look into OpenID frameworks for .NET.
-
Kissy16 wrote:
am using the following code for encryption and decryption for a password field.
Password fields should be stored as a one-way salted hash value (e.g. SHA256). That way you (or a hacker) can never get them back. When you want to check that a password matches then you create a salted hash of what the user typed and compare the two hashed values.
Kissy16 wrote:
But if i tested with TamperIE it is showing plian text
At what point is it showing plain text. What the user types in will be in plain text until you encrypt it.
ya. Actually i am using plain text passwords in the back end. when i use salted hash on the new password field,then while changing password,it will become the hashed password getting updated which i want to store as plain text. So this is my question ki how to do that?storing the changed password as plain text and not the hashed one.
kissy
-
ya. Actually i am using plain text passwords in the back end. when i use salted hash on the new password field,then while changing password,it will become the hashed password getting updated which i want to store as plain text. So this is my question ki how to do that?storing the changed password as plain text and not the hashed one.
kissy
here is a FREE Password Has library for .NET projects. http://passwordhash.jassimrahma.com[^]
Technology News @ www.JassimRahma.com