Click here to Skip to main content
15,068,879 members
Please Sign up or sign in to vote.
3.40/5 (3 votes)
Hi, I want to encrypt my password using jquery/javascript and then decrypt it using c# at server side, can anyone tell me the simplest way to accomplish it. Thanks
Prasad Khandekar 5-Jun-13 16:10pm
Doing so will expose the secret key to preying eyes. Instead try and use a hash function such as SHA-1, MD-5 etc. And on the server side user one more hash with a known random salt to compare it with the value stored in database. In your database you can store the password in $SALT$HASH where HASH is computed by SHA-1(SALT + SHA-1(PLAIN-TEXT PASSWORD)).
I are right basically, but not about SHA-1 — it's found vulnerable (broken), please check with Wikipedia.

I provided a detailed answer, please see.

Prasad Khandekar 5-Jun-13 16:31pm
You are absolutely right, In a real world application one should be using SHA-256 and not SHA-1, MD-5. +5
ZurdoDev 5-Jun-13 16:21pm
If you just use SSL you don't need to encrypt it on the client side. What are you actually trying to accomplish?
Good point. True, but even under SSL wrong use of password may create security leak. That's why it's good to understand the principles — please see my answer.
I added [EDIT] to my answer, crediting this comment. Thank you very much.
alamz7 5-Jun-13 16:40pm
Basically, I'm making an Ajax call to know if the credentials entered by users are authenticated, and that's the reason I want to encrypt the password at client side as on client side password having plain text is not a good idea. Also my scenorio is, doing it without SSL
Than you can use my answer, with understanding of the potential vulnerability. Also, you can implement some SSL over HTTP, there are such projects. The point is: don't send a password, don't send a private (or the only) key. Hence, the cryptographic hash solution.
Your problem is solved.

Prasad is right, this is not how secret authentication is done. You should not really encrypt the password, but you can instead use a cryptographically strong hash function:[^].

Now, you don't need to ever store a password anywhere. Instead, you should store passwords' hash value and compare hash to hash. So, the user creates password for a very first time. JavaScript creates its hash and delivers the value to the server side where it is stored. Next time, when a use is authenticating, it sends only the hash, and then the server side compares hash to hash.

I really strongly advise to use SHA256 (in particular, MD5 and SHA1 family of algorithms are found vulnerable):[^].

You can use JavaScript implementation of the algorithm. For example, here:[^].

And .NET provides comprehensive implementation if its BCL:[^],[^].


Please see the comment by ryanb31: this along won't be enough, as the hash value sent can also be eavesdropped by spying on IP packages and then the user post can be imitated. So, it needs SSL. However, I explained the principles of using the cryptographic hash.


I have done same implementation for some of my clients, but approach was totally different from as describe above.

Client level encryption but that encryption key would be retrieved dynamically.

when user as for Log In page send the dynamic key from server based on that generate the encrypted password then send it to server.

Its best to build your own mechanize for encryption because all of a sudden you can change the whole logic.

I my case I have append the key with the password so always its show and new encrypted password, this way it became a dynamic encryption, I know its tough to understand via word but I cant share those codes as they are patent so if need some more clarification feel free to ask.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900