I feel like I'm kind of inventing the wheel all over but I haven't understood if I can use ASP.NET User Management with mySQL. Not sure if I want to either.
I am designing a web site which requires user management. I use mySQL and .NET 4. Right now I've made a class Register which registers a user, but I am unsure how to protect the password and what to think about when implementing this functionality? I've been thinking of hashing it up with MD5 but it seems futile. The only thing the hash would protect against is me开发者_如何学Go reading the passwords in cleartext. As long as it gets sent over https it's considered quite safe, right? (Feel free to bash me on that one.. I've really no clue really)
How would you do this? Any suggestions are welcome!
EDIT
Thanks for leading me down the right path! I found a couple of interesting questions here (like this one: What should I use for password fields in a table; MD5 or SHA1?) after I knew what to look for. Looks like hashed password + random salt is the way to go.
I don't know about using MySQL with the default SQL tables that you can generate for SQL server, but you can implement your own membership provider (deriving from the base ones that come with the framework). This has the advantage that following the same pattern should protect you from some of the common security mistakes that people make.
As for storing the passwords in clear text, you should do some reading... :
http://www.kavoir.com/2010/03/just-hashing-is-far-from-enough-how-to-position-against-dictionary-and-rainbow-attacks.html
You can use ASP.NET User Management with mySQL, just write your MembershipProvider:
Here is an example: http://www.codeproject.com/KB/database/mysqlmembershipprovider.aspx
If the server gets compromised, and you store passwords in clear text, the intruder has access to those passwords. While your site may not be worth the trouble, some user's online banking password could be the same thing. (And just about everyone uses the same password, or a very similar one, for multiple sites.) Do you want to be responsible for someone stealing millions from your users?
精彩评论