Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

When is it a good idea to store passwords in clear text?

Tags:

asp.net

asp.net-membership

I am working on an application that is targetted at non technical users. I expect a large number of support calls regarding lost passwords and inability to login.

I am using ASP.NET membership provider that provides 3 options for storing passwords - Clear text, Hashed, Encrypted.

Is it a good idea to store passwords in clear text given the nature of this application? Are there any legal issues involved in storing passwords in clear text?

like image 635
Nick Avatar asked Jan 19 '10 15:01

Nick

People also ask

What does it mean that passwords are not stored in clear text?

To make it simple, if passwords are in plain text, the security would be compromised by anyone having a glance at it. Now, you need to remember that website log-in isn't the only access to a database. An attacker might be able to get some information from your database in various ways.

What is clear text in passwords?

Cleartext is transmitted or stored text that has not been subjected to encryption and is not meant to be encrypted. As such, cleartext does not require decryption in order to be displayed.

Should passwords be stored in plain text?

Solutions for secure storing and sharing passwords First and foremost, make sure that storing and sharing passwords in plain text is no longer your (and your colleagues') habit. Instead, build some new ones! For storing passwords, forget all those sheets, notepads and Sticky notes – use encrypted password storage.

1 Answers

Never.

There is never a good reason to store passwords in your database, ever. Especially not in clear text. You should be storing the hash of the password only.

The worst thing you can do to a user is broadcast their "recovered" password across the Internet in a clear-text e-mail. It is so easy to simply store a one-way hash of the password which cannot be recovered.

For lost passwords, you simply reset their password and give them a temporary password which they have to change when they log in. Safe and secure.

People often use the same passwords for multiple applications (especially non-technical users). So your application will likely contain the passwords for people's bank accounts, email, etc.

You have a responsibility to secure users' passwords, no matter how trivial your application is.

like image 64
Robert Cartaino Avatar answered Sep 29 '22 23:09

Robert Cartaino
Sign in to Comment

Related questions

Unable to load shared library "libgdiplus" - Docker [ .NET application with Aspose API]
How to change CSS class of a HTML page element using ASP.NET?
how to decrypt a connectionString in a web.config using regiis_asp.net?
Building ASP.NET application - Best Practices
MediaTypeFormatter serialize enum string values in web api
Using Page.ClientScript.RegisterClientScriptBlock not working
Asp.net mvc how to change the default label text in @html.labelfor
How to set the default button in content page using asp.net?
Showing number in 2 decimal places in GridView
'System.Web.HttpContext' does not contain a definition for 'GetOwinContext' Mystery
Visual Studio 2010 Toolbox controls disabled
LINQ: custom column names
Call Method in Master Page
XML serialization, encoding
The type or namespace name 'DirectoryServices' does not exist in the namespace?
How to show Console.WriteLine output in my browser console or output window?
Linq row not found or changed
How to remove all rows of the table but keep the header
Replace item in querystring
Root element is missing

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!