I'm trying to write a simple ASP.Net app that allows the users to log in with their username and password. I'm using an EF database in the .NET Framework 4, coding in C#. My problem is, when the user registers their details on the registration page, their password value does not save. That textfield is a password field.
How can I save the passwords actual value in the database, but keep the textfield as password? Would I need to encrypt it? I've never done encryption, so any help would be appreciated. Thanks
You should use some cryptographic algorithm to compute the hash for password string (see Hash string in c#). Then store it as byte array or encoded string (like hex or base64) in db.
Related
I've been searching for the past few days about encrypting some data to use on the URL.
I basically have 3 strings and i need to encrypt then on a unique token.
eg: code: '12345678' email: 'teste#encrypt.com' name: 'nameTest'
This will be join together as code%email%name and i need to encrypt them.
What's the best way to do it as i need to pass the encrypted string on the URL for the other server to decrypt? The algorithms i've used all put some form of '/\=' and i guess that probably may cause problems
Thanks for the help
In 2019, URI.encode is obsolete and should not be used
If you want safely put encrypted string into url without problems with special characters then you could use CGI.escapeor ERB::Util.url_encode for this purpose.
require 'erb'
ERB::Util.url_encode("Hello world")
#=> "Hello%20world"
Rails will decode automatically when receiving
If you want something simple that encodes and hide raw data which could be decoded somewhere later and verified then you could use MessageVerifier provided by active support:
#verifier = ActiveSupport::MessageVerifier.new('s3Krit')
cookies[:remember_me] = #verifier.generate([#user.id, 2.weeks.from_now])
id, time = #verifier.verify(cookies[:remember_me])
http://api.rubyonrails.org/classes/ActiveSupport/MessageVerifier.html
http://ngauthier.com/2013/01/rails-unsubscribe-with-active-support-message-verifier.html
If you want true encryption then you could look into such project. It uses OpenSSL:
http://rocketjob.github.io/symmetric-encryption/
I used grails acl security. I wanted to change or edit password of a user after logging as an admin. But when i go to the edit mode, then the password field is showing the encrypted text that was saved before as encrypted string in user table. Is there any way to decrypt the string fetched from database and show in original string form in the password field?
I did not get any straight solution to do this in grails acl.
Any help would be appreciated.
There aren't very good reasons to display the cleartext password. As the user or an admin, if you want to change the password then you do it like any other property. Display the old value (either as * characters since it's a password or possibly the hashed value if you are an admin) and then you can enter a new password. This will get hashed and stored when you update.
As long as the cleartext password satisfies the validation requirements (minimum length, special chars, etc.) then the update should work fine.
Note that passwords are generally not encrypted (which implies that they can be decrypted) but hashed. Hash algorithms are lossy - given any input the hash is typically a fixed length output, so it cannot contain all of the original data and can't be used to retrieve the original value. For passwords this is fine. To authenticate, you don't de-hash the stored value and compare to the cleartext value from the login page - you hash the login page value and compare to the stored hash. With some algorithms they'll be the same, and others (e.g. bcrypt) they'll be different but equivalent, and the algorithm will have a way to check that they're equivalent.
No it is impossible to decrypt the password . It is bad idea to show password to user in edit mode. Its violet the security law. You can change a user's password but can not see it.
I haven't decrypted or d-hashed the password but added a new page to change password for a user. in workflow i did as follows:
1. while creating a user, new hashed password is created
2. while edit, all other desired information are allowed to edit except password (but password is showing in hashed dotted mode for security).
3. added a new link named 'change password' in the user list beside each user
4. finally in the newly created 'changePassword' page, i have assigned another new password with hash operation for the particular user
snatching my hair to fix this problem but I can't.
I am parsing id in url to pull data on next page according to that id. So rather than parsing id=123 I encrypted it something like process.php?token=TG4n6iv_aoO7sU3AngFY4WLSppLvueEoh-MnYE6k7NA, and decrypted it on process.php page by collecting it with $_GET, before using it in sql query. This is not proper URL, I need url like process.php?token=9878799889 and I need to decrypt this 9878799889 on process.php which would give me my original user id.
So here I can not use md5 or base64_encode which give me ugly string.
What would be best thing to do here?
id is unique so generated long digits should be unique as well and not easy to guess.
Right now I am using encrypt logarithm with salt. Actually want to parse like www.sitename.com/process/token/9878799889..this can be achieve with .htaccess so not worried about it..
Any help will be much appreciated..
What you could do is add an association table in your databse, which would contains a UUID as primary key (a randomly generated number) and your true ID reference (and other information you may want to store there, like a "valid until" date or other things...)
You'd have to generate the entry in that table as you parse the UUID
let's say INSERT INTO uuid_table (uuid, real_id) VALUES (9878799889, 123);
now when you process the url process.php?token=9878799889
you would only have to SELECT real_id FROM uuid_table WHERE uuid=9878799889;
it would retern the read id 123
You should also DELETE FROM uuid_table WHERE uuid=9878799889 when you're done.
Note that it would also work with md5 or base_64, but indeed it makes the url uglier.
I am wanting to validate a password in my own controller.
Is there any way I can sent the password to spring security UI and get a return if the password validates?
You are looking for:
springSecurityService.encodePassword
If you have configured your system with salt you will need that as well. Just encode the String, and read the encoded String from your user object, and compare the two
Docs:
http://grails-plugins.github.com/grails-spring-security-core/docs/manual/guide/single.html#6.2%20SpringSecurityService
I used crypto:sha/1 to hash passwords in my erlang application.
Should I store the binary obtained directly in mnesia or should i convert them to hex string before?
Using crypto:sha/1 for hashing passwords is dangerous. At least have a salt, but preferably, use say scrypt, bcrypt or pbkdf2 for storing passwords like this. They are resilient to a number of attacks. Unfortunately, I know of no Erlang-support for those :/
Use https://github.com/smarkets/erlang-bcrypt to do the hashing rather than SHA1 or MD5.
One could get an Hmac SHA256 hex Digest or MD5 Digest of a password from a front-end application, create a hash using the erlang method and then store this hash. For example, if i had a web application, i ask for password from users, right at account creation or at login, i use javaScript to create an MD5 Digest of this password and send that along the wire (HTTPS) instead of the actual password. On reaching Erlang, i create a hash of this MD5 Digest from JavaScript and store that as the users password. So each time the user attempts to login on my page, i would do the similar process and then compare the hash output of his entry with the one that was stored. Read more on SHA256 HMac Digest by looking at the solutions to this question: HMAC SHA256 hex digest of a string in Erlang, how? and this one: Erlang and JavaScript MD5 Digest match
Actually you store tuples (or records, which is the same) in mnesia, but in the fields of that records you can store any term (including binaries). It's not neccessary to convert them to strings.