2

How make password not visible in SQL Server Object Explorer? (Visual Studio 2013). I search it a lot, but not find. Please Help enter image description here

DVL
  • 180
  • 2
  • 11
  • 6
    Storing passwords in a plain-text is a bad idea. Take a look at his [question](http://stackoverflow.com/questions/1054022/best-way-to-store-password-in-database), which includes a good discussion on password best practice. – David Rushton Jan 04 '17 at 10:16
  • Server Explorer shows what you enter in that field. It is your program that should encrypt that text if you don't want it to be _understandable_ – Steve Jan 04 '17 at 10:19
  • The best way would be to not store plain text passwords in your database. Hash and salt your passwords and then store the result. Or, use one of the any number of authentication libraries. – Lithium Jan 04 '17 at 10:19
  • SQL server database can either have a SQL Password or a windows Password using the users login password in windows. Using the Windows Password will eliminate the need for entering a password in the application. – jdweng Jan 04 '17 at 10:20
  • You can't prevent clients from showing the data they return from the database, you can only prevent them from actually getting "readable" data by making the data unreadable, but still usable. For passwords, storing them in plaintext is **completely** wrong and **must not be done!**, I cannot stress this enough. You need to use salting and hashing and this requires changes to your application logic as well. **You MUST do this!**. There are numerous articles on the web on how to go about securing password storage properly, I suggest you go read some of those. – Lasse V. Karlsen Jan 04 '17 at 10:27
  • To answer your question as stated within the context you've stated: **You can't.** There is no way you can tell the client to not show the data it was given by the database. No way at all. – Lasse V. Karlsen Jan 04 '17 at 10:29
  • Thanks @LasseV.Karlsen I will learn salting and hashing. I was thinking what kind of type set for password, but didn't search in web when I created database. My application isn't for website that need this kind of security,but i will edit it and for future I will know how do that :)) – DVL Jan 04 '17 at 14:53

3 Answers3

2

As mentioned in the comments, you should not store password as a plain text in your database.

I suggest you to use cryptographic function and store the result in your table.

In SQL:

HASHBYTES('SHA2_512', 'YourPassword')

HASBYTE Function: https://msdn.microsoft.com/en-us/library/ms174415.aspx

You have a good example here :
https://www.mssqltips.com/sqlservertip/4037/storing-passwords-in-a-secure-way-in-a-sql-server-database/

Arnaud Gastelblum
  • 312
  • 1
  • 11
1

Short answer: this is not possible.

Long answer: Your problem though is not the visibility of the password. It is the recover-ability of the password.

As said by @Arnoud Gastelblum you should hash your password.

Hashing is a one way method of changing a password into a string which is not revertable. This way even if the password string is visible it doesnt make sense and it is not revertable to a real password.

How can i check passwords

As said above, hashing is a one way process. once something is hashed there is no way back. So for checking a password for when someone logs in: you hash the input string someone send to your sever, and then check this hash, with the hash already in the database. If they are not the same, the password is incorrect.

Joel Harkes
  • 10,975
  • 3
  • 46
  • 65
-1

This is a simple helper for hashing password and storing hash value and salt value in DB.

public class PasswordBLL
    {
        public static bool ValidatePassword(UserObjLibrary user, string Password)
        {
            return user.passwordHash == EncodePassword(Password, user.passwordSalt);
        }

        public static int ValidatePassword(string userName, string Password, string ipAddress, string MacAddress)
        {
            UserDAL ud = new UserDAL();
            UserObjLibrary user = ud.Details(userName:userName);
            user.lastActivity_ip = ipAddress;
            user.lastActive_MAC_address = MacAddress;
            if (user != null && user.userId > 0)
                ud.LogInActivity(user);
            if(user == null || user.userId < 1)
                return -1;
            return ValidatePassword(user,Password) ? user.userId : -2;
        }

        public static string GenerateSalt()
        {
            byte[] buf = new byte[16];
            (new RNGCryptoServiceProvider()).GetBytes(buf);
            return Convert.ToBase64String(buf);
        }

        public static string EncodePassword(string pass, string salt)
        {
            try
            {
                byte[] bytes = Encoding.Unicode.GetBytes(pass);
                byte[] src = Convert.FromBase64String(salt);
                byte[] dst = new byte[src.Length + bytes.Length];
                byte[] inArray = null;
                Buffer.BlockCopy(src, 0, dst, 0, src.Length);
                Buffer.BlockCopy(bytes, 0, dst, src.Length, bytes.Length);

                HashAlgorithm algorithm = HashAlgorithm.Create("SHA512");
                inArray = algorithm.ComputeHash(dst);

                return Convert.ToBase64String(inArray);
            }
            catch (Exception ex)
            {
                // This gets thrown if the salt is invalid
                return "--Invalid--";   // Any non empty value is fine to make sure the match fails
            }
        }
    }

And When you add user to DB, generate the one-side encryption

public int Add(UserObjLibrary user)
        {
            UserDAL ud = new UserDAL();
            PasswordBLL pb = new PasswordBLL();
            user.passwordSalt = PasswordBLL.GenerateSalt();
            user.passwordHash = PasswordBLL.EncodePassword(user.password, user.passwordSalt);
            return ud.Add(user);
        }

Validating user credentials when user attempt to login

public static bool Login(string userName, string password, string ipAddress, string MacAddress)
        {
            return PasswordBLL.ValidatePassword(userName: userName, Password: password, ipAddress: ipAddress, MacAddress: MacAddress) > 0;
        }
HaBo
  • 13,999
  • 36
  • 114
  • 206
  • -1; it's pretty obvious you've nicked this from the codebase of a previous employer, and that it wasn't written entirely by you. Irrelevant side effects like explicitly storing the user's IP and MAC Address on the user model give away that this was lifted from a real codebase without even carefully reading over it to remove the bits that shouldn't be there, and the consistently correct English gives away - in light of the fact that over two thirds of non-plagiarised sentences from your last 10 answers contain a spelling, grammar, or punctuation mistake - that you didn't write it yourself. – Mark Amery Dec 17 '17 at 11:08
  • 1
    @MarkAmery now this is little too much. This is code from CodePlex and was written by me on Code Plex too. Couple of places I accepted your down vote, but I disagree on this. – HaBo Dec 18 '17 at 10:55
  • The fact that the code has random irrelevant stuff about IPs and MAC addresses sprinkled in is enough reason to downvote even if it were not plagiarised. As for the plagiarism, I'm not sure whether you're claiming this is from a project hosted on CodePlex or from CodePlex's internals, but given that you've not managed to write a single correct sentence in this answer or your reply to me but have apparently managed to make no errors in the two comments in the code... well, you'll forgive me if I just plain don't believe that you authored it. – Mark Amery Dec 18 '17 at 16:36