Storing Password in the Sql server database in a secure way.

Question

0.00/5 (No votes)

See more:

SQL-Server-2012

, +

I am working on my web project. I want to store user password the secure way like hashing, but i came to know that after the password is hashed it cannot be converted back. But in My project i have To implement Forgot password and reset password. Reset Password is OK but when the case of forget password came how would i convert the stored hashed password into the original password and then mailed to the user.

So, I need to know which Hashing technique or Algo is better for my case.

Posted 21-Apr-14 7:22am

Muhammad Taqi Hassan Bukhari

Add a Solution

4 solutions

Solution 3

Well, my suggestion would be not to implement the Forgot Password by sending their password as plain text in email.

I would rather extend Forgot Password as Reset Password. Thus, if you forget your password you are forced to reset your password.

And this is standard and more secure practice followed. Reason being, I get access your email somehow and I say forgot password for your system. Not only I have access your email but I also know the TEXT PASSWORD which you use (and may be using in number of other sites).

Just give a thought about it!

Posted 21-Apr-14 8:16am

Manas Bhardwaj

Updated 21-Apr-14 11:20am

v2

Solution 2

Encrypt using the master key..

SQL

-- Create database Key
USE Hassan_Web_Project_DB;
GO
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'Password123';
GO

SQL

-- Create self signed certificate
USE Hassan_Web_Project_DB;
GO
CREATE CERTIFICATE Certificate1
WITH SUBJECT = 'Protect Data';
GO

SQL

-- Create symmetric Key - This is used to both encrypt and decrypt our data
USE Hassan_Web_Project_DB;
GO
CREATE SYMMETRIC KEY SymmetricKey1
 WITH ALGORITHM = AES_128
 ENCRYPTION BY CERTIFICATE Certificate1;
GO

Now insert by encrypting

SQL

INSERT INTO dbo.User_Login (User_ID, User_Name, User_Password)
VALUES (25665, 'mssqltips4', EncryptByKey( Key_GUID('SymmetricKey1'), CONVERT(varchar,'4545-58478-1245') ) )

And select by decrypting

SQL

SELECT User_ID, User_Password AS 'Encrypted User_Password',
CONVERT(varchar, DecryptByKey(User_Password)) AS 'Decrypted User_Password'
FROM dbo.User_Login;

Posted 21-Apr-14 7:35am

Guruprasad.K.Basavaraju

Solution 1

Generates a random password, assigns it to the user account, sends an email informing the user of their new password
- http://www.asp.net/web-forms/tutorials/security/admin/recovering-and-changing-passwords-cs[^]
- http://www.fishnetsecurity.com/6labs/resource-library/white-paper/best-practices-secure-forgot-password-feature[^]

Posted 21-Apr-14 7:35am

DamithSL

Updated 21-Apr-14 7:36am

v2

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

**Zoltán Zörgő** · Accepted Answer · 2014-04-21T08:50:00

"Forgor password" functionality does not mean sending old plain text password to the user. Not at all. Actually this is the most vulnerable point in an application, since you have no control over what's happening. Generating one-time-password and sending that one to the user and forcing the user to change it is common approach, although not more secure than sending the old password. Why? Because there is only one channel and one component is involved.

If you want to identify somebody, you have three components to use, you can ask three kind of "questions".
You can be identified using these components:
1) what you have - a hard or soft token, smart card, a phone
2) what you know - a password, an answer to a question
3) what you are - biometrical data
For a general web application it is hard to implement the third component. Still, you have two left. You should use these two.

Still, most pages use only the second component, but at least they are using at least two different aspects of it, like passwords and secret questions. If your application is not that critical, you can do the same.

This is a good starting point: https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet[^], and some more thoughts here: http://www.securabit.com/wp-content/uploads/2010/08/self-service-password-reset_v5-1.pdf[^]