CODEWITHSUNDEEP
c#asp.netmysqlauthenticationencryption
rookie
rookie

Reputation: 401

How to encrypt a password and save it in MySQL database.

Now I am just saving the password as it is

protected void Save_Click(object sender, EventArgs e)
    {

        string userName = Label13.Text;
        DateTime now = DateTime.Now;
        MySqlConnection connectionString = new MySqlConnection("Server=127.0.0.1;Database=surelyknown;Uid=root");
        connectionString.Open();
        MySqlDataAdapter adapter = new MySqlDataAdapter();
        MySqlCommand command = new MySqlCommand();
adapter.InsertCommand = new MySqlCommand("INSERT INTO tbl_user (FirstName,LastName,Email,U_Password,CompanyName,UserPermission,PhoneNumber,Created,Modified,Active,CreatedBy,tbl_organisation_OrganisationID) VALUES(@FirstName,@LastName,@Email,@U_Password,@CompanyName,@UserPermission,@PhoneNumber,@Created,@Modified,@Active,@CreatedBy,@tbl_organisation_OrganisationID)", connectionString);
    adapter.InsertCommand.Parameters.Add("@FirstName", MySqlDbType.VarChar).Value = FirstName.Text;
            adapter.InsertCommand.Parameters.Add("@LastName", MySqlDbType.VarChar).Value = Surname.Text;
            adapter.InsertCommand.Parameters.Add("@Email", MySqlDbType.VarChar).Value = Email.Text;
            adapter.InsertCommand.Parameters.Add("@U_Password", MySqlDbType.VarChar).Value = Password.Text;
            adapter.InsertCommand.Parameters.Add("@CompanyName", MySqlDbType.VarChar).Value = Convert.ToString(nID);

and when the user login to the website how can the encrypted password used to do authentication. i want to do the decryption in the server side itself. please help

Upvotes: 1

Views: 3296

Answers (2)

HJW
HJW

Reputation: 23443

Basically, hash + salt your password, save the hash into the database, do not save the clear-text password.

When the user logs into your system, hash the same password from him with the salt, compare that hash with the hash saved to your database, if they match, then your user is authenticated.

Hashing your password hides the real password from any successful attempts to hack into your password.

Salting your password with another arbitrary value saves you a margin from dictionary based brute force attacks.

See OWASP for Salt + Hashing + High number of iterations technique This is in Java, but i believe the theory covered is portable across any languages / implementations.

Upvotes: 4

Jeff Ferland
Jeff Ferland

Reputation: 18292

First, you should salt and hash your passwords. When you say you want to do that on the server side, do you mean on the database server side, or the application server?

Upvotes: 0

Related Questions