Question
Are there any security concerns in choosing to hash a user password at the application level in ASP.NET vs at the database level in SQL CLR? I'm seen it done both ways.
My thinking is that in the application level, the password is only sent once from the browser to the webserver. In a database implementation, the password is sent a second time to the database for hashing.
In the latter case, someone running SQL Server Profiler would be able to see the password sent to the procedure or function in plaintext. I'm not too familiar with SQL Server Auditing, but if it had the ability to capture similar information it would pose a risk as well.
Solution
You should hash the password in your application, not in you database. This means that:
Now you have no problem with someone running a profiler, because the passwords are hashed. Besides that if someone can run a profiler, he can probably do much more damage then reading the passwords...
OTHER TIPS
Hash in the application layer using scrypt or bcrypt, don't depend on general purpose hashing algorithms (MD5, SHA1, SHA512, etc) because of these reasons.
https://stackoverflow.com/questions/19706624
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian