hash codes of passwords as query string?

[nasirmajor]

dear all;
my simple quetion is that if we have hashed the users passwords and
stored in databases.
then can we use that hash code e.g
D52987198EA2730FD22A38E7976344D843A7FFA0
in query string. the reasion for asking is that: are generated hash
codes are always unique? so that we can use them for page navigation
like in query string.

 

[Henrik Stidsen]

my simple quetion is that if we have hashed the users passwords and
stored in databases.
then can we use that hash code e.g
D52987198EA2730FD22A38E7976344D843A7FFA0
in query string. the reasion for asking is that: are generated hash
codes are always unique? so that we can use them for page navigation
like in query string.

Why would you ever put the password in a querystring ? It would be a
huge security problem...

Use sessions and use the sessionid for whatever you wanted to use the
password hash for. The sessionId will be unique for each user AND
change when the session expires (eg the user logs off). You could also
generate your own unique ID to use.

 

[Steve C. Orr [MVP, MCSD]]

Theoretically it should be pretty darned secure, but why risk it when there
are such simple alternatives?
I prefer to never expose a password in any form. You could just as easily
use a SessionID or create a custom GUID that you associate with that user.
I think these techniques would be preferable.

 

[Henrik Stidsen]

Steve C. Orr [MVP, MCSD] skrev:

Theoretically it should be pretty darned secure

That depends on how he plans to use the hash - if its like
"page.aspx?logged_in=true" its not even close to secure. If its just
some sort of useridentification its a little secure - it could be easy
to hijack another users profile just by changing the hash in the query.
And if it is just to identify the logged in user there is plenty of
better ways to do that.

The only way its secure is that its still pretty hard to reverse the
hash and get the actual password from it - but that might not even be
necessary.