0

I have an asp.net web API. I implemented a token authentication that I am trying to validate user name and password from the database. I am new to JWT so I need your advice.

Here are my questions;

  1. Should I encrypt username and password in my database?
  2. The client sends the username and password in the request body, Should the client send them in the header? And should they be encrypted?

Best Regards.

Andrei Dragotoniu
  • 5,633
  • 3
  • 16
  • 30
Cenk
  • 13
  • 1
  • 9

1 Answers1

0

  1. You should absolutely encrypt your password in the database. Even better if you hash it with "salt" (hashing will let you implement the log in logic, but the original password will be unrecoverable even if you know the hash).

  2. Sending the password in the request body is fine if the connection is protected by TLS (HTTPS). There's no gain in putting it in the headers.

Usernames are often stored in plain text.

P.S. Your question has nothing specific to JWT, it is just general password management.

battlmonstr
  • 3,898
  • 1
  • 18
  • 29
  • can you share article/tutorial about hashing in the database? I am using SQL server 2017. By the way, username and password should be hashed in the request? – Cenk Mar 03 '19 at 18:20
  • This looks good as general info about hashing - https://crackstation.net/hashing-security.htm . You can do that in your ASP.NET code, or better find some popular library that does that for you (converting passwords to hashes). After that you could write that hash+salt into your SQL server DB. You might do hashing client side, but that's not something I would recommend. Depends on your needs of course. – battlmonstr Mar 03 '19 at 18:26
  • I will give a password to the client and hashed and stored in the database. I make the client send the hash in the request. Does it make sense? – Cenk Mar 03 '19 at 18:31
  • What you describe is possible, but not so typical. More typical is that the client sends a password to the backend (the whole thing auto-encrypted with HTTPS/TLS), then you hash it and store in the DB. – battlmonstr Mar 03 '19 at 18:55
  • Is there any tutorial storing hash+salt on DB and comparing user password which is hashed with salt on asp.net web api? – Cenk Mar 04 '19 at 18:56
  • Check [this question](https://stackoverflow.com/questions/4181198/how-to-hash-a-password) for hashing. For storing you just store a string in DB that is a normal string. (hash is one string, salt is another string). That code depends on the DB you use, so better if you ask a new question. For comparing you need to hash the input password, and load the hash from DB, and then just do a normal string compare: if hash(password) == hashFromDB, then the password is correct. – battlmonstr Mar 04 '19 at 19:09