October 31, 2018 at 12:19 pm
In a winform vb.net apps, I used a function below to Encrypt password and save into USERINFO table.
Is it possible to create a function in SQL to decrypt password or have to decrypt password through apps?
Private Function Encrypt(clearText As String) As String
Dim EncryptionKey As String = "MATY2SPBNI99878"
Dim clearBytes As Byte() = Encoding.Unicode.GetBytes(clearText)
Using encryptor As Aes = Aes.Create()
Dim pdb As New Rfc2898DeriveBytes(EncryptionKey, New Byte() {&H49, &H76, &H61, &H6E, &H20, &H4D,
&H65, &H64, &H76, &H65, &H64, &H65,
&H76})
encryptor.Key = pdb.GetBytes(32)
encryptor.IV = pdb.GetBytes(16)
Using ms As New MemoryStream()
Using cs As New CryptoStream(ms, encryptor.CreateEncryptor(), CryptoStreamMode.Write)
cs.Write(clearBytes, 0, clearBytes.Length)
cs.Close()
End Using
clearText = Convert.ToBase64String(ms.ToArray())
End Using
End Using
Return clearText
End Function
October 31, 2018 at 2:56 pm
It's not a good idea to pass or return unencrypted passwords from a database function. Someone might intercept the call and read the password. You should only pass, store and retrieve encrypted passwords to a database.
If the password is only needed for user verification, so needs only checked that it is the same one as saved, then the password should be a salted hash so impossible to decrypt.
October 31, 2018 at 3:49 pm
Never encrypt passwords. Salted hash, then the app hashes (with the same salt) and you compare the hashes.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply