开发者

SQL query to create a encrypted password

开发者 https://www.devze.com 2023-03-04 22:08 出处:网络
I am trying to create a secure password login screen in c#.Right now i have just created the login screen and I am able to read the username and password from the database.But which i have designed do

I am trying to create a secure password login screen in c#.Right now i have just created the login screen and I am able to read the username and password from the database.But which i have designed does not have an encrypted password. Can开发者_如何学Python any one help me out how to write a query to generate encrypted password and store the encrypted password value in a separate field.Thanks in advance.


Consider hashing the password that you currently store. SQL can hash a password as follows:

DECLARE @HashThisPassword nvarchar(4000);
SELECT @HashThisPassword = CONVERT(nvarchar(4000),'dslfdkjLK85kldhnv$n000#knf');
SELECT HashBytes('SHA1', @HashThisPassword);

... But SQL shouldn't even need to do this. You should hash the password as soon as your C# application receives it, and then only ever pass the hashed password into SQL to be saved. When checking if the user has provided the correct password for login, compare the hashes.


Your best bet is one way encryption.

What happens in this scenario is the user selects/is given a password. When that password is stored in the database it passes thorugh this one way encryption before it is stored. (You'll be doing this in your c# code)

Then when the user logs in, the entered password passes through this same one way encryption before it is compared with the password in the database.

This ensures that if a hacker gets into the database, it will be difficult to learn the password because they would have to determine the encryption type, and then devise a way to un-encrypt it which to my understanding is difficult at best, impossible at worst.

Here is a link to some code that may help. One Way Encryption

You don't want to do the encryption in sql itself, because if a hacker DOES access your database, they will be able to simply look at the procedure/function that you are using to do the encryption and they will have a much easier time.

And you don't want to store the password in the database unencrypted as well...

Your best bet is to write some code to read the password, encrypt it, and update the record, then all you have to do is continue to use the same encryption type and salt.

The c# cryptography library is very easy to use.

0

精彩评论

暂无评论...
验证码 换一张
取 消