MVC 3 where to encrypt the user's password?

asp.net-mvc-3 encryption entity-framework

Question

I have my own password encryption dll that I am using to check the user's password when they login, this is referenced in my User entity.

Now I have created the ability for a user to register which is working fine, apart from the passwords are yet to be encrypted.

My question is quite simple, where should I put the encryption of the new user's password? I'm not sure as I am aware that the user's password shouldn't be transmitted in plain text, therefore I don't know where the best place to call the encryption function:

  • User Entity (where the encryption dll is already used for validation).
  • The User repository where the save user method is.
  • The User controller where the user creation views are controlled.
  • Somewhere else that I haven't considered!

Thanks very much

1
3
8/17/2012 5:47:35 PM

Accepted Answer

First of all, for client - server communication, I would suggest you to use SSL for the sensitive information (like passwords) not to be transferred in plain text format.

Afterwards, it's the common practice not to save passwords anywhere (even with encryption, but the hashed values of them.

You can put the hash function to the set method of password property. Here is an example:

public class Member
{
    private string _username;

    public string Username
    {
        get { return _username; }
        set { _username = value.ToLowerInvariant(); }
    }

    public string Passhash {get;set;}

    public void SetPassword(string password)
    {
        Passhash = Crypto.Hash(password);
    }

    public bool CheckPassword(string password)
    {
        return string.Equals(Passhash, Crypto.Hash(password));
    }
}

public static class Crypto
{
    public static string Hash(string value)
    {
        return Convert.ToBase64String(
            System.Security.Cryptography.SHA256.Create()
            .ComputeHash(Encoding.UTF8.GetBytes(value)));
    }
}

Edit:

As Craig Stuntz pointed out, the Hash code in this example is very simple. See the following post for a more secure way to hash your password: Hashing passwords with MD5 or sha-256 C#

6
5/23/2017 12:07:01 PM

Popular Answer

In a service layer method that will be responsible for doing 2 things:

  1. call your encryption layer to hash the password (not to encrypt it)
  2. call your user repository to persist the user entity to the database with the hashed password

The controller action will of course talk to the service layer.



Related Questions





Related

Licensed under: CC-BY-SA with attribution
Not affiliated with Stack Overflow
Licensed under: CC-BY-SA with attribution
Not affiliated with Stack Overflow