Password Encryption Question - SQL Server

Asked

Viewed 924 times

1

I am developing an ASP.NET MVC system, SQL Server database, which will have logins control, and to encrypt the password, I have developed the following functions and procedures: 

CREATE FUNCTION [dbo].[ENCRIPTA_SENHA]
(
   -- Add the parameters for the function here
   @SENHA VARCHAR(200)
)
RETURNS VARBINARY(200)
AS
BEGIN
   DECLARE @pwd varchar(50) = 'maicongabriel', @RESULTADO VARBINARY(256)
   set @RESULTADO = ENCRYPTBYPASSPHRASE(@PWD, @SENHA)

   RETURN @RESULTADO
END

CREATE FUNCTION [dbo].[DECRIPTA_SENHA]
(
       -- Add the parameters for the function here
       @SENHA VARCHAR(200)
)
RETURNS VARCHAR(200)
AS
BEGIN

DECLARE @pwd varchar(50) = 'maicongabriel'

       RETURN CAST(DECRYPTBYPASSPHRASE(@pwd,@SENHA) As VARCHAR(200))

END

CREATE PROCEDURE [dbo].[VALIDA_SENHA]
       -- Add the parameters for the stored procedure here
         @USUARIO VARCHAR(200), @SENHA varchar(200)
AS
BEGIN
       -- SET NOCOUNT ON added to prevent extra result sets from
       -- interfering with SELECT statements.
       SET NOCOUNT ON;

    -- Insert statements for procedure here
       SELECT X.USUARIO FROM 
          (SELECT USUARIO, DBO.DECRIPTA_SENHA(SENHA) SENHA FROM USUARIOS_TESTE A ) AS X 
       WHERE X.USUARIO = @USUARIO AND X.SENHA = @SENHA

END

When I will do the Insert in the bank via ASP.NET MVC, I would do the same more or less this way: 

INSERT INTO USUARIOS_TESTE SELECT 'daniel', dbo.ENCRIPTA_SENHA('123456')

And when I go to process the login form, I would use my Procedure and see if it brought back:

VALIDA_SENHA 'DANIEL','123456'

Is it good practice to do it this way? Is there a better way? Because then the passwords will be encrypted in the database, and in the source code ASP.NET will be only the execution of ENCRIPTA_SENHA and VALIDA_SENHA..

sql sql-server

  • Of course @pwd varchar(50) = 'maicongabriel' is just an example, I’ll put something more complex there.. for example only now I am using this 'maicongabriel'

  • This is not a good practice, because Voce can use the PROFILLER and take everything that is being passed to the database, so you will know the password. You must encrypt before sending to the database

  • What C# function can I use to encrypt and decrypt passwords @Pauloalexandre ?

1 answer

1


Encrypting the password in the bank is perfect, but note that you are using direct encryption on INSERT, This means that you should use the same when doing SELECT to compare the password.

The ideal is that the password is not "decrypted", the good practice is to use a Hash which cannot be safely undone.

To do this, use the function HASHBYTES might be a good alternative. If you need the user can reset the password, but not "decrypt", this is the safest way to save the information.

  • I did not know this function... I took a look at it and really, with it I will not need to decrypt the password at any time... I will analyze to use this function in my password.. thank you very much!

  • 1

    Yes, you can ride the insert thus: INSERT INTO USUARIOS_TESTE SELECT 'daniel', HASHBYTES('SHA1', '123456'), just remember that returns from HASHBYTES is a varbinary, you may need to convert to the data type of your field.

  • 1

    Yes.. the password column in my bank is already a varbinary.. and when it comes to validating with select, it would look like this: SELECT X.USUARIO FROM (SELECT USUARIO, SENHA FROM USUARIOS_TESTE A ) AS X 
 WHERE X.USUARIO = @USUARIO AND X.SENHA = HASHBYTES('SHA1', @SENHA) this right?

  • I did a test with variables, and really, as shows the Imagery , worked out! Thank you very much! :)

  • This way also worked, but this way I’m decrypting the password, so I think it’s not ideal, since the other way does not decrypt right?

Browser other questions tagged sql sql-server

You are not signed in. Login or sign up in order to post.