User Passwords In a Hosted Environment

[Jordan]

I'm implementing ASP.NET Forms authentication, and storing passwords in a
SQL Server database.

Just wondering what some of you who have implemented this scenario in a
hosted environment do to keep the passwords in the database "safe". Do you
store them as plain text, do you base(64) encode them? do you encrypt them?

What would you recommend for keeping user's passwords safe in a hosted
environment?

Thanks.

 

[Steve C. Orr [MVP, MCSD]]

The best practice is to not store the password at all, but instead store a
hash of the password.
Here's more details:
http://www.aspnetpro.com/NewsletterArticle/2003/04/asp200304so_l/asp200304so_l.asp

And here's some articles using other encryption techniques:
http://www.fawcette.com/vsm/2002_08/online/hottips/fergus/default.asp
http://www.devx.com/security/article/7019

 

[Jordan]

Thank You Steve and Eric. You provided exactly the type of information I was
seeking.

Steve: FWIW: the fawcett.com link you provided is dead.