0

I am currently working on a project in which I am rewriting an old (late 1990s) web application in ASP.NET. Part of this application is a user authentication system, which is used to access a couple of pages on the site. The user credentials (username, password, etc.) are stored in a database table.

This is all pretty standard, but while working with this database I found, to my horror, that this data is stored in plaintext.

I am wondering what the best way would be to improve the security of this insecure system. Is there an easy method of taking the plaintext data, encrypting (or hashing) it, and reinserting it? Can I use .NET Forms Authentication to facilitate any of this, and is it a good option for user authentication in the new app?

Thanks!

Paul Woidke
  • 928
  • 4
  • 18
  • 40
  • 1
    As a side note, encrypting stored passwords is generally a Bad Idea. Hashing them is by far the preferred option. – Aurand Sep 05 '13 at 19:20
  • 1
    To expand on @Aurand's comment: Hashing with salt is considered common practice, Hashes without salt is almost as bad as Encrypting. It is too easy for hackers to get back the password otherwise. – josh poley Sep 05 '13 at 19:31
  • That definitely makes sense. I would prefer to hash passwords if it's not much additional work. Can I implement this similarly to @Garrison Neely's answer? – Paul Woidke Sep 06 '13 at 11:31

1 Answers1

0

If you are on a Windows network, I'd use Windows Auth, which uses Active Directory. That would allow your Systems Admin group/person to administer who has access to the application.

Forms Auth is a good idea if Windows Auth won't work for you.

If they won't give you the time to implement either of the auth frameworks, I'd definitely encrypt the passwords on the database. Write a Console app and encrypt the passwords using information found here: Encrypt and decrypt a string

Then you'd need to modify your existing app to check encrypted passwords instead of plaintext ones.

Community
  • 1
  • 1
Garrison Neely
  • 3,238
  • 3
  • 27
  • 39