I am totally new to Asp.net mvc. I am trying to implement token based authentication on my Asp.net mvc app. I have implemented it successfully according to http://www.primaryobjects.com/2015/05/08/token-based-authentication-for-web-service-apis-in-c-mvc-net/
Where client generated token is sent with each http request. In the server side I process this token and get the data in it to generate a token in the server side to compare with. Where my token contains the data username, password, ip, user agent and time stamp. in the server side I get the username from client token and retriev the password from database to generate token in the server.
Now the problem is my application has changed to store encrypted password in the database using BCrypt.Net.BCrypt.HashPassword. Now the problem is using this BCrypt api I unable to decrypt the hash password to get the original password. So I have no idea how to generate the token in server side. Any ideas on this are highly appreaciated
This is the nature of a hash. You can hash a text string(password), but you can not reverse it and get the original input. This is because multiple text strings get hashed to the same hash.
So there is no way to say what is the original input by looking at the hash.
To verify the user has input the correct password you can use BCrypt.Verify("my password", passwordHash)
It returns true if your new password matches with the hash. Please note that you cannot hash the password again and just check whether the two hashes are equal because for the same string you get different hashes each time as it adds a random salt value to the original string. So you have to use the BCrypt.Verify for checking passwords. You can choose a different schema for the token or encrypt the password and store in the database if you want to retrieve it later. But usually passwords are hashed when storing in the database for additional security.
Related
I am working on creating a web application to assign user access to a database. We get a ticket to grant access to a user and the help desk person select the sql instance, enters the username and the password on the app to assign access. My issue is the connection strings are all stored in a sql database and the instance password is encrypted using hashbyte function.
How am i going to connect to the database through my C# asp.net code since the password is encrypted.The help desk person will only select the instance and not enter the login credentials
This kind of operation is needed to be one-way so that it cannot be decrypted. Password validation is generally done with hashing. in other words, you have hashed password inside db and when user inputs password, your application first hashes the input password then it compares hashed passwords.
but, hashing is not encryption algorithm, it is a secure one-way compression algorithm
Thus, you cannot use hashed db passwords for any purpose. users need to provide password.
You can use UserSecrets for storing encrypted password. Check this post for implementation
In a C# MVC app that is using the OAuth login method, how do you retrieve the decrypted password for the current logged in user?
I know
User.Identity.GetUserName()
Gets the user name but, in the table AspNetUseres is a PasswordHash column with the hashed password and I want to be able to retrieve that and decrypt it if needed in the app. I can retrieve the hashed string fine but unsure how to convert it into text...
You can't. The whole point of hashing is to obscure data in such a way so you can verify it, but can't see the actual value.
To be able to encrypt / decrypt values, you would need to set up password encryption, not hashing.
But you shouldn't be decrypting user passwords anyway. If you want to mention why you need the password, perhaps someone here could suggest an alternative way of getting what you want.
i seemed Confused what i need to do.it a normal login scenario.i storing hashed value of password in database.[Please dont consider What Hashing Function i Using ].At The Login Time
user inputs his plain Text Password.Now what i needed to Do is hash this password ,pass it web service Then My DataBase Need to Compare Two Hashed Values.Now what i dont know is.
When i hash the Password at login time with salt.Is it still the same value i get or Something else
Can My dataBase(Sql server 2008) Able to Compare Two Hashed Values if Not then what i need to do.There is no need of Get the Password From Database.
Passing Hashed Password over Web services needs Extra Consideration of Security?
i need to Handle Password Recovery also.and can i use encryption/decryption algorithms here.
Please Suggest What i need to Do .
To increase security, it would be better to use a random salt.
The way i use to protect password while storing in the SQL server is that:
Create salt from the password, then generate hash with concatenation
of user name and password..
It will make the salt dependent on password and user name. If you are recovering your password then if credentials are correct then you are able to reset the password.
can i use encryption/decryption algorithms
??
As per your encryption method, Create your own algorithm to encrypt and decrypt the password with salt using the .net encryption libraries.
You have to save salt to database too.
in Authentication, Get salt, hashed inputted password with salt, compare with the hased value in database. All of these can reside in C# code.
You can't get original password from hashed value. You can generate a random password and force customer to change password in next login.
So I think hashed value is safe to transfer online. For a site Adminstrator, even he has access to database, he still doesn't know the password of customer.
I have a ASP.Net C# application that needs to connect to an external API using WebServices every 5 minutes.
The requirements of the External Webservice are as follows:
Username and Password are required
I must transmit the username and password with each webservice request
Passwords expire every 90 days and must be changed prior to the expiration date
Passwords cannot be changed manually (by human), my application must connect to a separate Password Change Webservice to change the password.
My application must generate each new password based on a set of rules.
Passwords can never be reused.
SSL, Certificates and Firewall IP restrictions are required
I have built all of the previous, but I currently have one issue. What is the best practice for storing the current and historical passwords?
Obviously storing the plaintext password is a bad solution. I need to be able to have my webservice read the password and transmit it with each request. I also need to be able to access all of the historical passwords to make sure that my newly generated password is not a duplicate.
Ideally, I would like to store each (encrypted) password in my database and decrypt it whenever I need to call the webservice. Is there a best practice I should be following? Should I encrypt each password using Microsoft.Practices.EnterpriseLibrary.Security.Cryptography.Cryptographer.EncryptSymmetric(..)?
Note: Unfortunately, I have no access to change the way the external API functions. I must follow the rules provided.
With regard to the password history I would go down one of two routes:
As per your current plan, store passwords in file/db/config - suggest you use a hashing algorithm (as opposed to encryption) to compare the new password with stored password hashes for "equality".
Don't bother storing password history at all - let the first attempt to the password change web service just fail if it chooses too, then resend with an alternative password. This way, you are not duplicating the business rules of the password change web service (for example, lets say they change it to allow you to re-use a password after 6 months time).
With regard to storing the current password: assuming you must send the password as plaintext, then yes, you should store it in encrypted form. There are many articles out there on how to do this. Or you could even encrypt a specific section of your config file such as seen here.
The easiest way... use the ProtectedData class:
http://msdn.microsoft.com/en-us/library/system.security.cryptography.protecteddata.aspx
byte[] bytes = System.Text.Encoding.UTF8.GetBytes(password);
byte[] cypher = ProtectedData.Protect(data, null, DataProtectionScope.CurrentUser);
//... reverse
byte[] bytes = ProtectedData.Unprotect(cypher, null, DataProtectionScope.CurrentUser);
string password = System.Text.Encoding.UTF8.GetString(bytes);
The ASP.NET IIS Registration Tool (Aspnet_regiis.exe) can encrypt and decrypt sections of web.config. There is no special code required in an application, as ASP.NET 2.0 will magically decrypt sections at runtime.
http://msdn2.microsoft.com/en-us/library/zhhddkxy.aspx
this may sound non sense, actually in may application I use to store password string in DB by computing to hash using SHA512Managed, I am writing a utility using which an admin can send mails to users using that EmailAddress and Password, but I can't pass that coputed value as a password to SMTP. is there any way to solve this?
Or a better cryptogarphy way?
Or any way to send mail in this condition?
Thanx
You cant, SHA512 I believe is not possible to be decrypted, which is why it is used.
All you can do is keep some form of data on your users aka, secret questions, and they must match them and then it will send them a new password.
Any properly encrypted password is not abled to be decrypted
You should NOT be using OR sending your users password, or even a simple hash of that, for that matter.
If you want to enable password reset, you should hand the users a TOKEN (which is NOT the hash of anyone's password). This token should be separately stored in a table and should have a set expiry.
You can use any kind of cryptographic hash (SHA512 is just fine) to 'encode' special information.
--- I fully missed what you meant by 'I cannot...as a password to SMTP'
If you need the original password of your users to even send mail, than - well that is twisted. Perhaps you could elaborate/explain this part
SHA-512 is a one-way hash, meaning you can't take the hash value and determine what string/value was used to generate that hash. Technically, there can be an infinite number of strings/values that would generate the same hash.
If you want to be able to get the value back, you should use encryption, not hashing.