To improve the security for my users I wish to hide all user-passwords in my MSSQL database. The webapplication is in ASP Classic and the SQL-field is a varchar(max).
I have heard about hashing the codes, but how does this work? Is it something to be done in the SQL string or making an ASP function?
My current users tabel setup are:
id username password
1 jersey plaintextpassword
2 timber plaintextpassword
....
i prefer to store user password as with md5
save passwords after md5sum when user trying to login
user variables from form
var_username = jersey
var_password = 123456
// dont forget to escape for sql injection
// generate md5sum for password
var_md5password = md5(password)
SELECT * FROM users WHERE username = 'var_username' AND password = 'var_md5password'
for example
|- id -|- username -|- password -|
|- 1 -|- jersey -|- 123456 -|
|- 2 -|- timber -|- 1234567 -|
table with md5
|- id -|- username -|- password -|
|- 1 -|- jersey -|- e10adc3949ba59abbe56e057f20f883e -|
|- 2 -|- timber -|- fcea920f7412b5da7be0cf42b8c93759 -|
more secure way
secret_key = topsecretkey
password: 123456
md5(password+secretkey)
it will generate a better md5
I actually just found a free ASP script implementing the SHA-256 one-way encryption algorithm, which is one of the industry standard methods for generating digital signatures.
It also contains a form and ASP code that demonstrates the algorithm can be used. The SHA-256 algorithm is one of the industry standard methods for generating digital signatures. It is generically known as a digest, digital signature, one-way encryption, hash or checksum algorithm. A common use for SHA-256 is for password encryption as it is one-way in nature, that does not mean that your passwords are not free from a dictionary attack.
I dont know if this is more secure than MD5, but here it goes:
Here is a method that converts the given string value (password) to a hash string. This is a C# code so will work with Dot net.
public static string HashString(string value, string salt)
{
value = salt + value;
HashAlgorithm myHasher = new SHA1CryptoServiceProvider();
byte[] myHashInBytes = myHasher.ComputeHash(System.Text.Encoding.Default.GetBytes(value));
return Convert.ToBase64String(myHashInBytes);
}
This would usually be a server side ASP function.
When a user is created or their password is updated you would pass the plain text password to a function which would create a one way hash of the password. MD5 or similar would usually suffice, but depending on the security required you may want to opt for harder to beat encryption algorithms. The hashed password is then sent to the database for storage in the encrypted format.
When logging in you take the plain text version of the password as entered, hash it using the same algorithm as before, then compare to the stored hashed version in the database. If they are the same, then they have entered the correct password.
You can make this slightly harder for a hacker to crack using something called salt. This is a randomly generated string, stored in the database in plain text, that you add to the original password, and thus the password you are checking, to add some randomness tot he hashed value. If you don't do this then a brute force attack that breaks through one password can be used to break all passwords. If you use salt, then they would only get one password for each brute force attack.
