I am working on an application that is targetted at non technical users. I expect a large number of support calls regarding lost passwords and inability to login.
I am using ASP.NET membership provider that provides 3 options for storing passwords - Clear text, Hashed, Encrypted.
Is it a good idea to store passwords in clear text given the nature of this application? Are there any legal issues involved in storing passwords in clear text?
To make it simple, if passwords are in plain text, the security would be compromised by anyone having a glance at it. Now, you need to remember that website log-in isn't the only access to a database. An attacker might be able to get some information from your database in various ways.
Cleartext is transmitted or stored text that has not been subjected to encryption and is not meant to be encrypted. As such, cleartext does not require decryption in order to be displayed.
Solutions for secure storing and sharing passwords First and foremost, make sure that storing and sharing passwords in plain text is no longer your (and your colleagues') habit. Instead, build some new ones! For storing passwords, forget all those sheets, notepads and Sticky notes – use encrypted password storage.
Never.
There is never a good reason to store passwords in your database, ever. Especially not in clear text. You should be storing the hash of the password only.
The worst thing you can do to a user is broadcast their "recovered" password across the Internet in a clear-text e-mail. It is so easy to simply store a one-way hash of the password which cannot be recovered.
For lost passwords, you simply reset their password and give them a temporary password which they have to change when they log in. Safe and secure.
People often use the same passwords for multiple applications (especially non-technical users). So your application will likely contain the passwords for people's bank accounts, email, etc.
You have a responsibility to secure users' passwords, no matter how trivial your application is.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With