0

I've created a default MVC 4 project with login authentication

When I register for an account with password: 123456

Why is it stored in the SQL database as: ALWsAlpVTehuGr7W2jaGwoX3Ww0RE5GC+yYDITvCpCdHmIIrX7vwMoTW3cEbMsGd4w==

If so, how does it compare the 2 strings to check whether the password entered is correct?

tereško
  • 58,060
  • 25
  • 98
  • 150
MVC_noob
  • 45
  • 6

1 Answers1

0

By default when passwords are stored in an SQL database they are encrypted. When you try logging in again the password will be encrypted before the authentication attempt, then this encrypted password will be compared to the one stored in the database.

It is disturbingly common for companies databases to become compromised. Imagine if a hacker got a copy of your database and right there was everyone's usernames and passwords in plain text. Most people use the same password for multiple sites so imagine the repercussions. Whereas if the hacker only has the encrypted passwords there is no way to reverse the salt and get the original plain text passwords out.

Brian H
  • 1,033
  • 2
  • 9
  • 28
  • So if a hacker acquires a password SQL database, all they have to do is search Google for "default SQL encryption pattern" and then they could crack the passwords?? – MVC_noob Jan 28 '14 at 19:52
  • The beautiful thing about password encryption is it's one directional. The amount of computing power required to decrypt a password is astronomical. The 'formula' used to encrypt passwords can not be reversed – Brian H Jan 28 '14 at 20:00