Buy My Account


Basics
Overview
Video Demos
Pricing & Ordering
Sample Applications
Customers
Free Training
What's New in V10.0
Download Now!

Product Tour
Product Tour
Web Applications
Mobile Applications
SharePoint Applications
Charts and Reports
Security
Easy Code Customization
Team Development

Technical Materials
Training Courses
Online Help
Technical Forums
White Papers
One Day Web Apps E-book
System Requirements
Product Roadmap
Version History

Encrypting Passwords Before Saving to the Database

"Learn how to encrypt and decrypt passwords when using them with role-based security."
- Anh Trinh, Software Engineer, Iron Speed, Inc.

January 4, 2007
Iron Speed Designer V4.1

Introduction
It's often useful for applications to encrypt data before saving it to the database. Such a situation occurs when adding a new user record, and for security reasons, you do not want their password to be readable directly from the database.

In this example, we encrypt and decrypt data using the .NET Hash() function to encrypt the password data. Of course, you could use any encryption method you wish instead of the Hash() function. When a user logs in, we hash the password value and compare the hashed password to the encrypted password in database. They will match when user provides a correct password, and the user is allowed to log in.

Our hask key is a concatenation of the Password and UserID fields. Using two data elements lessens the chances of producing identical encrypted passwords if two users have the same password, thereby increasing our level of security. Our example also assumes a Users table in our database and the Users table contains at least two fields: UserID and Password.

Saving an Encrypted Password to the Database
The following code customization encrypts the password before saving it into the database. Add this code to the UsersRecordControl class, located in:

.NET Framework 1.1:

...\<App Folder>\Users\AddUsersPage.Controls.cs or .vb

.NET Framework 2.0:

...\<App Folder>\App_Code\Users\AddUsersPage.Controls.cs or .vb

C#:

using System.Security.Cryptography;
...
public override void GetUIData()
{
    base.GetUIData();
    UsersRecord record = this.GetRecord();
    string password = record.Password+record.UserID;
    HashAlgorithm mhash = new SHA1CryptoServiceProvider();
    byte[] bytValue = System.Text.Encoding.UTF8.GetBytes(password);
    byte[] bytHash = mhash.ComputeHash(bytValue);
    mhash.Clear();
    record.Password = Convert.ToBase64String(bytHash);
}

Visual Basic .NET:

using System.Security.Cryptography;
 
Public Overrides Sub GetUIData()
    MyBase.GetUIData()
    Dim record As UsersRecord = Me.GetRecord
    Dim password As String = record.Password + record.UserID
    Dim mhash As HashAlgorithm = New SHA1CryptoServiceProvider
    Dim bytValue() As Byte = System.Text.Encoding.UTF8.GetBytes(password)
    Dim bytHash() As Byte = mhash.ComputeHash(bytValue)
    mhash.Clear()
    record.Password = Convert.ToBase64String(bytHash)
End Sub

Using the Encrypted Password when Logging into the Application
The following code hashes the Password and UserID to create the encrypted password. It then puts this encrypted password back in to the Password text field before calling the base.login() method to complete the login process. Place this code in the SignInControl class, located in:

.NET Framework 1.1:

...\<App Folder>\Shared\SignIn_Control.Controls.cs or .vb

.NET Framework 2.0:

...\<App Folder>\App_Code\Shared\SignIn_Control.Controls.cs or .vb

C#:

using System.Security.Cryptography;
...
public override void Login(bool redirectOnSuccess)
{
    string password = this.Password.Text+this.UserName.Text;
    HashAlgorithm mhash = new SHA1CryptoServiceProvider();
    byte[] bytValue = System.Text.Encoding.UTF8.GetBytes(password);
    byte[] bytHash = mhash.ComputeHash(bytValue);
    mhash.Clear();
    this.Password.Text = Convert.ToBase64String(bytHash);
    base.Login(redirectOnSuccess);
}

Visual Basic .NET:

Imports System.Security.Cryptography
 
Public Overloads Overrides Sub Login(ByVal bRedirectOnSuccess As Boolean)
    Dim password As String = (Me.Password.Text + Me.UserName.Text)
    Dim mhash As HashAlgorithm = New SHA1CryptoServiceProvider
    Dim bytValue() As Byte = System.Text.Encoding.UTF8.GetBytes(password)
    Dim bytHash() As Byte = mhash.ComputeHash(bytValue)
    mhash.Clear()
    Me.Password.Text = Convert.ToBase64String(bytHash)
    MyBase.Login(bRedirectOnSuccess)
End Sub

Note: The point of hashing is to prevent the user from discovering the original data. Therefore, if a user forgets their password, that particular UserID will need to provide a new password.

About the Author
Anh Trinh
Software Engineer, Iron Speed, Inc.

Anh is a software engineer at Iron Speed, Inc. He enjoys developing applications with Iron Speed Designer and Microsoft .NET technology.

   
Resources
Training Videos
Training Courses
Knowledge Base
Online Help
 Support
Technical Support
Technical Forums
Code Customizations
MVPs / Consultants
 Customers
News & Reviews
Product Council
Shopping Cart
 Company
About Us
Contact Us
Management
Jobs
 

Copyright © 2005-2013, Iron Speed, Inc. Iron Speed® is a registered trademark. All rights reserved. Privacy Statement