Home > Back-end >  How to secure password and hash from SQL Server?
How to secure password and hash from SQL Server?

Time:01-12

I have a .NET WPF application.

I create two accounts, one is named "final" will be defined. The password of this account will be defined as "Fnl666". The other account is named "admin" will be defined in this system.

But the admin account password must be kept secret (should never know the admin password). Even my project source code I shouldn't be able to find the password for this admin account in clear text if I look into it. How to solution to this you need to provide?

I have thought to use password asymmetric encryption or hash entered on the login page of the Login will compare the hash database value and compare to the password.

What is your advice?

How to hide the admin password on the login page in .NET and in SQL Server?

login page

homepage

secure password hash

database screenshot

Here is my hash algorithm:

public static string hashPassword(string password)
{
        SHA1CryptoServiceProvider sha1 = new SHA1CryptoServiceProvider();
        byte[] password_bytes = Encoding.ASCII.GetBytes(password);
        byte[] encrypted_bytes = sha1.ComputeHash(password_bytes);
        return Convert.ToBase64String(encrypted_bytes);
}

Here is my login page submit button click

protected void btnLogin_Click(object sender, EventArgs e)
{
        try
        {
            conn.Open();
            SqlCommand cmd = new SqlCommand("Select * from tbl_Login where @P1=userName and @P2=password", conn);

            cmd.Parameters.AddWithValue("@P1", TextBox1.Text);
            cmd.Parameters.AddWithValue("@P2", hashPassword(TextBox2.Text));

            SqlDataReader dr = cmd.ExecuteReader();

            if (dr.Read())
            {
                if (hashPassword(TextBox2.Text) == ??)
                {
                    Server.Transfer("loginSuccesful.aspx");
                    //Response.Redirect();
                }
            }
            else
            {
                Server.Transfer("errorPage.aspx");
            }
        }
        catch
        {
            Server.Transfer("errorPage.aspx");
        }
}

CodePudding user response:

For any type of Application,

Encryption:

  1. You can hash the password with some strong hashing algorithm (For eg. BCrypt) with a random salt.
  2. Then Encrypting the hashed password with some strong encryption algorithms like AES-256 with a user-specific key.
  3. In this way, you can strongly hide anyone's password.

Decryption:

  1. You must decrypt the password first with the current user's key, then you must hash the user entered password again with the same salt(may store salt on the database) and check for the same hashed password with the database and let them into the application.

Always Encrypted: If you again want some protection for the SQL database, you can use Always Encrypted on SSMS to encrypt the sensitive columns of your tables.

I think what I've answered is relevant for you.

Page link:https//www.codepudding.com/Backend/260481.html

Prev:A code error about template and iterator of C made by a C new learner
Next:Why can't I std::apply for a member function
  •  Tags:  
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding