I working with the user login module. So I want give some security like in sql server login table I have UserID, Username, Password & Confirm Password. In this session I want store Password & Confirm Password Columns show the value into the Ascii Format
asked Oct 26, 2009 at 03:20 AM in Default
Best not to store the user's password at all. Use SALT and HASH to convert the password to something else, and store that. Use the same SALT and HASH to modify the password next time then login, and compare the SALT'd and HASH'd value against the value stored in the database.
If you store the password using any simple algorithm that is reversible and someone steals your password table then what? Likelihood is that those users have used the same password for their Online Banking (idiots! but YOU can't stop them doing that :( )
You then need a routine for allocating them a new password when they forget it - rather than just emailing them their current password - because, with SALT and HASH you cannot reverse the process so you can never actually discover their original password.
My suggestion for that is that you have an additional column for NewPassword and ExpiryDate and you send them the NewPassword in an email and store the ExpiryDate. You then let them login using either their original password (in case they remember it in a flash of brilliance!) or the NewPassword - but only up to the ExpiryDate - e.g. a couple of hours.
Note that when they login using the NewPassword you need to force them to enter a new password (which you store in the Password field)
Note also that the NewPassword should also be stored using SALT and HASH
answered Oct 27, 2009 at 07:40 AM
One option is to convert it into varbinary
answered Oct 26, 2009 at 03:57 AM