Buy Support


Basics
Overview
Easy Code Customization
Sample Applications
Video Demos
Customers
Free Training
Pricing & Ordering
Download Now!

Product Tour
Product Tour
Features
Team Development
What's New in V11.1

Technical Materials
Training Courses
Online Help
Technical Forums
White Papers
One Day Web Apps E-book
System Requirements
Product Roadmap
Version History

Encrypting Passwords Before Saving to the Database


"Learn how to encrypt and decrypt passwords when using them with role-based security."
- Anh Trinh, Software Engineer, Iron Speed, Inc.

January 4, 2007
Iron Speed Designer V4.1

Introduction

It's often useful for applications to encrypt data before saving it to the database. Such a situation occurs when adding a new user record, and for security reasons, you do not want their password to be readable directly from the database.

In this example, we encrypt and decrypt data using the .NET Hash() function to encrypt the password data. Of course, you could use any encryption method you wish instead of the Hash() function. When a user logs in, we hash the password value and compare the hashed password to the encrypted password in database. They will match when user provides a correct password, and the user is allowed to log in.

Our hask key is a concatenation of the Password and UserID fields. Using two data elements lessens the chances of producing identical encrypted passwords if two users have the same password, thereby increasing our level of security. Our example also assumes a Users table in our database and the Users table contains at least two fields: UserID and Password.

Saving an Encrypted Password to the Database

The following code customization encrypts the password before saving it into the database. Add this code to the UsersRecordControl class, located in:

.NET Framework 1.1:

...\<App Folder>\Users\AddUsersPage.Controls.cs or .vb

.NET Framework 2.0:

...\<App Folder>\App_Code\Users\AddUsersPage.Controls.cs or .vb

C#:

using System.Security.Cryptography;
...
public override void GetUIData()
{
    base.GetUIData();
    UsersRecord record = this.GetRecord();
    string password = record.Password+record.UserID;
    HashAlgorithm mhash = new SHA1CryptoServiceProvider();
    byte[] bytValue = System.Text.Encoding.UTF8.GetBytes(password);
    byte[] bytHash = mhash.ComputeHash(bytValue);
    mhash.Clear();
    record.Password = Convert.ToBase64String(bytHash);
}

Visual Basic .NET:

using System.Security.Cryptography;
 
Public Overrides Sub GetUIData()
    MyBase.GetUIData()
    Dim record As UsersRecord = Me.GetRecord
    Dim password As String = record.Password + record.UserID
    Dim mhash As HashAlgorithm = New SHA1CryptoServiceProvider
    Dim bytValue() As Byte = System.Text.Encoding.UTF8.GetBytes(password)
    Dim bytHash() As Byte = mhash.ComputeHash(bytValue)
    mhash.Clear()
    record.Password = Convert.ToBase64String(bytHash)
End Sub

Using the Encrypted Password when Logging into the Application

The following code hashes the Password and UserID to create the encrypted password. It then puts this encrypted password back in to the Password text field before calling the base.login() method to complete the login process. Place this code in the SignInControl class, located in:

.NET Framework 1.1:

...\<App Folder>\Shared\SignIn_Control.Controls.cs or .vb

.NET Framework 2.0:

...\<App Folder>\App_Code\Shared\SignIn_Control.Controls.cs or .vb

C#:

using System.Security.Cryptography;
...
public override void Login(bool redirectOnSuccess)
{
    string password = this.Password.Text+this.UserName.Text;
    HashAlgorithm mhash = new SHA1CryptoServiceProvider();
    byte[] bytValue = System.Text.Encoding.UTF8.GetBytes(password);
    byte[] bytHash = mhash.ComputeHash(bytValue);
    mhash.Clear();
    this.Password.Text = Convert.ToBase64String(bytHash);
    base.Login(redirectOnSuccess);
}

Visual Basic .NET:

Imports System.Security.Cryptography
 
Public Overloads Overrides Sub Login(ByVal bRedirectOnSuccess As Boolean)
    Dim password As String = (Me.Password.Text + Me.UserName.Text)
    Dim mhash As HashAlgorithm = New SHA1CryptoServiceProvider
    Dim bytValue() As Byte = System.Text.Encoding.UTF8.GetBytes(password)
    Dim bytHash() As Byte = mhash.ComputeHash(bytValue)
    mhash.Clear()
    Me.Password.Text = Convert.ToBase64String(bytHash)
    MyBase.Login(bRedirectOnSuccess)
End Sub

Note: The point of hashing is to prevent the user from discovering the original data. Therefore, if a user forgets their password, that particular UserID will need to provide a new password.

About the Author

Anh Trinh
Software Engineer, Iron Speed, Inc.

Anh is a software engineer at Iron Speed, Inc. He enjoys developing applications with Iron Speed Designer and Microsoft .NET technology.

   
 

Terms of Service Privacy Statement