User Passwords In a Hosted Environment

Jordan · Jun 22, 2004

I'm implementing ASP.NET Forms authentication, and storing passwords in a
SQL Server database.

Just wondering what some of you who have implemented this scenario in a
hosted environment do to keep the passwords in the database "safe". Do you
store them as plain text, do you base(64) encode them? do you encrypt them?

What would you recommend for keeping user's passwords safe in a hosted
environment?

Thanks.

Steve C. Orr [MVP, MCSD] · Jun 22, 2004

The best practice is to not store the password at all, but instead store a
hash of the password.
Here's more details:
http://www.aspnetpro.com/NewsletterArticle/2003/04/asp200304so_l/asp200304so_l.asp

And here's some articles using other encryption techniques:
http://www.fawcette.com/vsm/2002_08/online/hottips/fergus/default.asp
http://www.devx.com/security/article/7019

Jordan · Jun 22, 2004

Thank You Steve and Eric. You provided exactly the type of information I was
seeking.

Steve: FWIW: the fawcett.com link you provided is dead.

asp.net uk hosting recommendations	1	Nov 18, 2008
custom authenticate users, how?	5	May 14, 2009
aspnet database stores password in plaintext?	3	Oct 8, 2009
Password protected html files	5	Jun 17, 2006
Does NetworkCredential itself encrypt user credentials?	3	Jul 9, 2007
CloudPets stuffed toys leak details of half a million users	1	Feb 28, 2017
Forms authentication, user login status is not maintained	3	Jun 29, 2007
Hosting Solutions For Full-Text Site	2	Nov 13, 2008

User Passwords In a Hosted Environment

Jordan

Steve C. Orr [MVP, MCSD]

Jordan

Ask a Question

Similar Threads