Example: Encrypting Passwords Before Saving to the Database

March 9, 2010
Iron Speed Designer V7.0 and later

Password storage

Most applications with built-in password security store the user name and password information in the underlying database.  While this is convenient and allows for easy administration, it isn’t always the most secure because a variety of users, mostly internal, have access to that information.  A malicious employee with access to password data can steal another user’s identity and forge bogus transactions.  This form of identity theft is commonly used by insiders to create fictitious customer accounts and then ship products to mail drops or to initiate credit card refunds to their own accounts.

One simple and effective defense against identify theft is encrypting the password in the database using one of several simple encryption protocols.  The application program encrypts the clear text password before comparing it to the stored encrypted password as part of its authentication protocol.  This prevents unauthorized users from using the passwords because the clear text version isn’t stored in the database.

Iron Speed Designer can create role-based security for your application using user name and password fields in your database, and not in any special tables created by Iron Speed Designer.  You can quickly and conveniently build applications on top of your existing database, using existing user names and passwords.  Adding simple but effective password encryption is easily accomplished by sub-classing the sign in classes in the class hierarchy.

Data encryption and decryption

It’s often useful for applications to encrypt data before saving it to the database.  Such a situation occurs when adding a new user record, and for security reasons, you do not want their password to be readable directly from the database.

In this example, we encrypt and decrypt data using the .NET Hash() function to encrypt the password data.  Of course, you could use any encryption method you wish instead of the Hash() function.  When a user logs in, we hash the password value and compare the hashed password to the encrypted password in database.  They will match when user provides a correct password, and the user is allowed to log in.

Our hash key is a concatenation of the Password and UserID fields.  Using two data elements lessens the chances of producing identical encrypted passwords if two users have the same password, thereby increasing our level of security.  Our example also assumes a Users table in our database and the Users table contains at least two fields: UserID and Password.

Saving an encrypted password to the database

The following code customization encrypts the password before saving it into the database.  Add this code to the UsersRecordControl class, located in:

...\<App Folder>\App_Code\Users\AddUsers.Controls.cs or .vb

C#:

using System.Security.Cryptography;

...

public override void GetUIData()

{

      base.GetUIData();

     UsersRecord record = this.GetRecord();

     String myPassword = record.Password+record.UserName;

     HashAlgorithm mhash = new SHA1CryptoServiceProvider();

     byte[] bytValue = System.Text.Encoding.UTF8.GetBytes(myPassword);

     byte[] bytHash = mhash.ComputeHash(bytValue);

     mhash.Clear();

     record.Password = Convert.ToBase64String(bytHash);

}

Visual Basic .NET:

Imports System.Security.Cryptography

Public Overrides Sub GetUIData()

     MyBase.GetUIData()

     Dim record As UsersRecord = Me.GetRecord

     Dim myPassword As String = record.Password + record.UserName

     Dim mhash As HashAlgorithm = New SHA1CryptoServiceProvider

     Dim bytValue() As Byte = System.Text.Encoding.UTF8.GetBytes(myPassword)

     Dim bytHash() As Byte = mhash.ComputeHash(bytValue)

     mhash.Clear()

     record.Password = Convert.ToBase64String(bytHash)

End Sub

Using the encrypted password when logging into the application

The following code hashes the Password and UserID to create the encrypted password.  It then puts this encrypted password back in to the Password text field before calling the base.login() method to complete the login process.  Place this code in the SignInControl class, located in:

Security\SignIn.aspx.cs (.vb)

C#:

using System.Security.Cryptography;

using System;

...

public void Login(bool redirectOnSuccess)

{

     String myPassword= this.Password.Text+this. UserName.Text;

     HashAlgorithm mhash = new SHA1CryptoServiceProvider();

     byte[] bytValue = System.Text.Encoding.UTF8.GetBytes(myPassword);

     byte[] bytHash = mhash.ComputeHash(bytValue);

     mhash.Clear();

     this.Password.Text = Convert.ToBase64String(bytHash);

     this.Login_Base(redirectOnSuccess);

}

Visual Basic .NET:

Imports System.Security.Cryptography

Imports System

 

Public Sub Login(ByVal bRedirectOnSuccess As Boolean)

     Dim myPassword As String = (Me.Password.Text + Me. UserName.Text)

     Dim mhash As HashAlgorithm = New SHA1CryptoServiceProvider

     Dim bytValue() As Byte = System.Text.Encoding.UTF8.GetBytes(myPassword)

     Dim bytHash() As Byte = mhash.ComputeHash(bytValue)

     mhash.Clear()

     Me.Password.Text = Convert.ToBase64String(bytHash)

     Me.Login_Base(bRedirectOnSuccess)

End Sub

Note:  The point of hashing is preventing the user from discovering the original data.  Therefore, if a user forgets their password, that particular UserID will need to provide a new password.

See Also

Customizing Application Security

Implementing Custom User Authentication

Example: Overriding Security at the Page Level

Example: Programmatically Accessing the Currently Logged-in User

Example: Access User Name and Password from Sign In Control

Example: Allow Only Active Users to Login

Example: Encrypting Passwords Before Saving to the Database

Example: Restrict Login after Incorrect Password Used