Quantcast
Channel: Security
Viewing all articles
Browse latest Browse all 4737

Can you decrypt an encrypted password

$
0
0

Hi,

For most of my recent web applications I have used ASP Membership and found it works quite well. Was looking at examples where you can implement your own security. The thing I like about ASP Membership (this is as far I know) you cannot look a user up up in the DB get their salt and encrypted password and reverse engineer it to reveal the decrypted password.

Take this code snippet:

public string EncryptPassword(string password, string salt)
{
    if (string.IsNullOrEmpty(password))
    {
        throw new ArgumentException("password");                
    }

    if (string.IsNullOrEmpty(salt))
    {
        throw new ArgumentException("salt");
    }

    using (var sha56 = SHA256.Create())
    {
        var saltedPassword = string.Format("{0}{1}", salt, password);
        byte[] saltedPasswordBytes = Encoding.UTF8.GetBytes(saltedPassword);
        return Convert.ToBase64String(sha56.ComputeHash(saltedPasswordBytes));
    }
}

public bool IsPasswordValid(User user, string password)
{
    return string.Equals(EncryptPassword(password, user.Salt), user.HashedPassword);
}

I can use IsPasswordValid to valid a user, but could a dev refactor the code in EncryptPassword to decrypt the password?

I'm hoping and thinking the answer is no. 

Thanks, Dave.


Viewing all articles
Browse latest Browse all 4737

Latest Images

Trending Articles



Latest Images

<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>