MVC 3 where to encrypt the user's password?

Question

I have my own password encryption dll that I am using to check the user's password when they login, this is referenced in my User entity.

Now I have created the ability for a user to register which is working fine, apart from the passwords are yet to be encrypted.

My question is quite simple, where should I put the encryption of the new user's password? I'm not sure as I am aware that the user's password shouldn't be transmitted in plain text, therefore I don't know where the best place to call the encryption function:

• User Entity (where the encryption dll is already used for validation).
• The User repository where the save user method is.
• The User controller where the user creation views are controlled.
• Somewhere else that I haven't considered!

Thanks very much

Answer 1

First of all, for client - server communication, I would suggest you to use SSL for the sensitive information (like passwords) not to be transferred in plain text format.

Afterwards, it's the common practice not to save passwords anywhere (even with encryption, but the hashed values of them.

You can put the hash function to the set method of password property. Here is an example:

public class Member
{
    private string _username;

    public string Username
    {
        get { return _username; }
        set { _username = value.ToLowerInvariant(); }
    }

    public string Passhash {get;set;}

    public void SetPassword(string password)
    {
        Passhash = Crypto.Hash(password);
    }

    public bool CheckPassword(string password)
    {
        return string.Equals(Passhash, Crypto.Hash(password));
    }
}

public static class Crypto
{
    public static string Hash(string value)
    {
        return Convert.ToBase64String(
            System.Security.Cryptography.SHA256.Create()
            .ComputeHash(Encoding.UTF8.GetBytes(value)));
    }
}

Edit:

As Craig Stuntz pointed out, the Hash code in this example is very simple. See the following post for a more secure way to hash your password: Hashing passwords with MD5 or sha-256 C#

Answer 2

In a service layer method that will be responsible for doing 2 things:

1. call your encryption layer to hash the password (not to encrypt it)
2. call your user repository to persist the user entity to the database with the hashed password

The controller action will of course talk to the service layer.

Answer 3

Don't do your own password hashing and don't even think about encrypting passwords.

The effort of making this secure are tremendous. Use an existing method based on publicly available specs and algorithms.

Answer 4

//ENCODE

public string base64Encode(string sData)
{
try
{
byte[] encData_byte = new byte[sData.Length];

encData_byte = System.Text.Encoding.UTF8.GetBytes(sData);

string encodedData = Convert.ToBase64String(encData_byte);

return encodedData;

}
catch(Exception ex)
{
throw new Exception("Error in base64Encode" + ex.Message);
}
}

//DECODE

public string base64Decode(string sData)
    {
        try
        {
            System.Text.UTF8Encoding encoder = new System.Text.UTF8Encoding();

            System.Text.Decoder utf8Decode = encoder.GetDecoder();

            byte[] todecode_byte = Convert.FromBase64String(sData);

            int charCount = utf8Decode.GetCharCount(todecode_byte, 0, todecode_byte.Length);

            char[] decoded_char = new char[charCount];

            utf8Decode.GetChars(todecode_byte, 0, todecode_byte.Length, decoded_char, 0);

            string result = new String(decoded_char);

            return result;
        }
        catch (Exception ex)
        {
            throw new Exception("Error in base64Decode" + ex.Message);
        }
    }

How to call 

string encode= base64Encode(val);

string decode= base64Decode(val);


This is very helpful to decode and encode your string(password)