I am going to use Symmetric key encryption and decryption using Rijndael algorithm when registering a new user's password as well as logging some into the application. Is the following the proper process? When the submit button is clicked, pass the value of the password textbox into a variable and encrypt. Then when I get to the point of matching the password against a database to decrypt to plain text and pass it into my stored procedure? Hope this makes sense. Thanks.How are you going to use symmetric key encryption? The user has to send you a key to do that.
What I think you want to do is hash the password. Take a look at the code here:
http://davidhayden.com/blog/dave/archive/2004/02/16/157.aspx
If I use SSL, do I still need to hash the password?
Yes, you will have to hash the password. Keep in mind that SSL just protects the communication between the browser and the server. When you store the password into the database, it will be seen as a normal cleartext password.
0 comments:
Post a Comment