Hi,
For most of my recent web applications I have used ASP Membership and found it works quite well. Was looking at examples where you can implement your own security. The thing I like about ASP Membership (this is as far I know) you cannot look a user up up in the DB get their salt and encrypted password and reverse engineer it to reveal the decrypted password.
Take this code snippet:
public string EncryptPassword(string password, string salt)
{
if (string.IsNullOrEmpty(password))
{
throw new ArgumentException("password");
}
if (string.IsNullOrEmpty(salt))
{
throw new ArgumentException("salt");
}
using (var sha56 = SHA256.Create())
{
var saltedPassword = string.Format("{0}{1}", salt, password);
byte[] saltedPasswordBytes = Encoding.UTF8.GetBytes(saltedPassword);
return Convert.ToBase64String(sha56.ComputeHash(saltedPasswordBytes));
}
}
public bool IsPasswordValid(User user, string password)
{
return string.Equals(EncryptPassword(password, user.Salt), user.HashedPassword);
}I can use IsPasswordValid to valid a user, but could a dev refactor the code in EncryptPassword to decrypt the password?
I'm hoping and thinking the answer is no.
Thanks, Dave.
