October 31, 2018 at 12:19 pm
In a winform vb.net apps, I used a function below to Encrypt password and save into USERINFO table.
Is it possible to create a function in SQL to decrypt password or have to decrypt password through apps?
Private Function Encrypt(clearText As String) As String
Dim EncryptionKey As String = "MATY2SPBNI99878"
Dim clearBytes As Byte() = Encoding.Unicode.GetBytes(clearText)
Using encryptor As Aes = Aes.Create()
Dim pdb As New Rfc2898DeriveBytes(EncryptionKey, New Byte() {&H49, &H76, &H61, &H6E, &H20, &H4D,
&H65, &H64, &H76, &H65, &H64, &H65,
&H76})
encryptor.Key = pdb.GetBytes(32)
encryptor.IV = pdb.GetBytes(16)
Using ms As New MemoryStream()
Using cs As New CryptoStream(ms, encryptor.CreateEncryptor(), CryptoStreamMode.Write)
cs.Write(clearBytes, 0, clearBytes.Length)
cs.Close()
End Using
clearText = Convert.ToBase64String(ms.ToArray())
End Using
End Using
Return clearText
End Function
October 31, 2018 at 2:56 pm
It's not a good idea to pass or return unencrypted passwords from a database function. Someone might intercept the call and read the password. You should only pass, store and retrieve encrypted passwords to a database.
If the password is only needed for user verification, so needs only checked that it is the same one as saved, then the password should be a salted hash so impossible to decrypt.
October 31, 2018 at 3:49 pm
Never encrypt passwords. Salted hash, then the app hashes (with the same salt) and you compare the hashes.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
Viewing 4 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply
This website stores cookies on your computer.
These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media.
To find out more about the cookies we use, see our Privacy Policy