tags:

views:

72

answers:

3
Q: 

Update and md5 password

Hi

I store the customers passwords in DB using encryption.

When the customer edits his personal data (including the password) the passwords are shown as *****

How can i understand that the use change his password so write to DB without encrypted again and again.

I mean that the value in password field is the encrypted value. If dont change the password must update with the same value (or not update at all) If user change password to 1234 I must encrypt the 1234 and write to DB the encrypted value

Thanks

+6  A: 

Don't send the md5 hashed string from the DB back. Set up three fields:

  • Old password
  • New password
  • New password again

Then check if the first field after md5 hashing is equal to the stored one in the DB. If it is, hash the second field and store it. (Only if the second and third is equal)

erenon  2009-11-27 12:53:18
Thanks, i am going to ipmlement
ntan  2009-11-27 13:24:28
works just fine
ntan  2009-11-27 13:51:27
A: 

You should require entering both old and new password when user wants to change it.

That way, you can encode the old password, check if the encoded value is the same as in the database. If it is the same, then the you should update the password in db with encoded new password. If it is not the same (or old password is empty) you do not update.

This helps you to distinguish between password change and settings-only change. You also gain a some level of security, as if someone have captured the session of your user, he cannot change his password without also capturing is original password.

SWilk  2009-11-27 12:57:59
A: 

A few points:

  • MD5 is a hashing algorithm, you will never be able to reverse the hash and that's the point.
  • Don't use MD5 as it has been cracked, use an SHA2+ Hash Algorithm (SHA256 for example)
  • Simply confirm the password with the "old password" by hashing the old password against the one in the database.
  • Another option is resetting the password, which will email their confirmed (hopefully) contact email with the new password.
  • If they're logged into the system already, you should not need to "confirm" the old password again.
  • Never send the hashed password back from the database, it is kind of defeating the purpose of what you are trying to accomplish.
Kyle Rozendo  2009-11-27 13:04:45

related questions

How to implement password protection for individual files?
Encrypting appSettings in web.config
Usefulness of SQL Server "with encryption" statement
How can I use a key blob generated from Win32 CryptoAPI in my .NET application?
CodeReview: Tiny Encryption Algorithm for arbitrary sized data
Simple encryption implementation in C
Which hard disk encryption software to choose?
Passing untampered data from Flash app to server?
How do I prevent replay attacks?
Is there a best .NET algorithm for credit card encryption?
Encrypt data from users in web applications
How to encrypt one message for multiple recipients?
Two-way password encryption without ssl
What's the answer to this Microsoft PDC challenge?
GPG: How does key signing work and how is it done?
Secure Online Highscore Lists for Non-Web Games
Programmatically encrypting a config-file in .NET
How do I use 3des encryption/decryption in Java?
Encryption in C# Web-Services
Suitable alternative to CryptEncrypt
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
C# - CryptographicException: Padding is invalid and cannot be removed
How can I encode xml files to xfdl (base64-gzip)?
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Encrypting Passwords