Use ASP. NET to encrypt passwords

Every time we create a database-driven personalized web site, we must protect user data. Although hackers can steal personal passwords, the more serious problem is that they can steal the entire database and then immediately use all the passwords.

Principle

A good practice is not to store the actual passwords in the database, but to store their encrypted versions. When we need to authenticate the user, we only need to encrypt the user's password and then compare it with the encrypted password in the system.

In ASP, we have to use external objects to encrypt strings. However.. net sdk solves this problem. web. the FormsAuthentication class in the Security namespace provides the HashPasswordForStoringInConfigFile method. The purpose of this method is to encrypt the password stored in the Form as prompted by its name.

Example

The HashPasswordForStoringInConfigFile method is very easy to use. It supports the "SHA1" and "MD5" hashing algorithms used to encrypt strings. To see the power of the "HashPasswordForStoringInConfigFile" method, let's create a small ASP. NET page and encrypt the string into SHA1 and MD5 formats.

The following is the source code of an ASP. NET page:

ASPX file:
<% @ Page language = "c #" Codebehind = "loginform. aspx. cs" AutoEventWireup = "false" Inherits = "konson. log. loginform" %>
<! Doctype html public "-// W3C // dtd html 4.0 Transitional // EN">
<HTML>
<HEAD>
<Title> loginform </title>
<Meta name = "GENERATOR" Content = "Microsoft Visual Studio 7.0">
<Meta name = "CODE_LANGUAGE" Content = "C #">
<Meta name = "vs_defaultClientScript" content = "JavaScript">
<Meta name = "vs_targetSchema" content = "http://schemas.microsoft.com/intellisense/ie5">
</HEAD>
<Body MS_POSITIONING = "GridLayout">
<Form id = "loginform" method = "post" runat = "server">
<Table style = "WIDTH: 205px; HEIGHT: 86px">
<Tr>
<Td style = "WIDTH: 78px"> logon name </td>
<Td> <asp: TextBox id = "userid" runat = "server" Width = "101px"> </asp: TextBox> </td>
</Tr>
<Tr>
<Td style = "WIDTH: 78px"> password </td>
<Td> <asp: TextBox id = "pwd" runat = "server" Width = "101px"> </asp: TextBox> </td>
</Tr>
<Tr>
<Td style = "WIDTH: 78px"> <asp: Button id = "login" runat = "server" Text = "login"> </asp: button> </td>
<Td> <asp: Button ID = "cancel" Runat = "server" Text = "Remove"> </asp: Button> </td>
</Tr>
</Table>
</Form>
</Body>
</HTML>

Code Behind file:
Using System;
Using System. Collections;
Using System. ComponentModel;
Using System. Data;
Using System. Drawing;
Using System. Web;
Using System. Web. SessionState;
Using System. Web. UI;
Using System. Web. UI. WebControls;
Using System. Web. UI. HtmlControls;
Using System. Web. Security;

Namespace konson. log
{
Public class loginform: System. Web. UI. Page
{
Protected System. Web. UI. WebControls. TextBox userid;
Protected System. Web. UI. WebControls. Button login;
Protected System. Web. UI. WebControls. Button cancel;
Protected System. Web. UI. WebControls. TextBox pwd;
String epwd;
Private void Page_Load (object sender, System. EventArgs e)
{}
# Region Web Form Designer generated code
Override protected void OnInit (EventArgs e)
{
InitializeComponent ();
Base. OnInit (e );
}

Private void InitializeComponent ()
{
This. login. Click + = new System. EventHandler (this. login_Click );
This. Load + = new System. EventHandler (this. Page_Load );
}
# Endregion

Private void login_Click (object sender, System. EventArgs e)
{
Epwd = FormsAuthentication. HashPasswordForStoringInConfigFile (pwd. Text, "SHA1 ");
// Epwd = FormsAuthentication. HashPasswordForStoringInConfigFile (pwd. Text, "MD5 ");
Response. Write (epwd );
}
}
}

In the above Code, you only need to write the encrypted epwd string to the database. The encryption password is so simple.