I have a project and apparently the designers of the software didn't put security into consideration.
The passwords are stored in plain text and transmitted through plain text. So I am left with the task to fix this.
I am a bit rusty on security, so my question is: for online user password authentication is it better to use hashing/salting techniques or is it better to use AES encryption? Could I have the pros and cons.
Would it be better to somehow use the ASP.NET membership provider? Would this be easy to do? I have used that before, but the software calls on it's own tables, so I'm not sure if that's more trouble there.
If this has been answered could someone direct me there, because I didn't find a comparison.
You should NEVER store passwords using symmetric encryption.
Random salt for every user, hash their password, store both the salt and hash in the database. Then on login requests you get the user by email/username/id etc, then use the salt tied to that user and hash their supplied password and then match it against the stored hash. If matches, login, else bad password.
If you use the built in ASP.NET membership provider it should do this for you.
I suggest you to multipe hash a salted password. More than 10 times or something. So why? Because for you hashing a salted password wont take recognizably longer. But for a evil guy trying different combinations to brutefocre a password, it takes 10 times more time each try. And he can't be sure if you did it 10 or 1000 times.
I use this personally as a cheap security increase.
See here: Stackoverflow Salting Your Password: Best Practices?
or there Secure hash and salt for PHP passwords
Good luck :)
Harry
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With