Hi all,
In my web application, I am create user using (MD5 and salt) technique. Once the user is created I do login with the same user id.
The password should not be in clear, for that what I am doing; I am explaining here.
What we have used in Server Side -
For storing password we have created two columns for password in user table. Here I am using two methods GenerateSalt() and HashPassword(string password, string salt) (using MD5CryptoServiceProvider).
In user table, I am storing the generated salt in one column and in other column I am storing password after hashing it.
What we are doing while login :
While login, first retrieving the salt password which is stored for the longing user. Then hash the password (Hashing password with the same method ,which we used to hash password before storing it).
Then we check, If the hashed password is the same as user entered it means user authenticated to login and gets logs in otherwise the entered password is incorrect.
What we have doing for client side –
For client side we are encrypting password using js code along with MD5 js file.
But when my security auditor check the application using Burp Suit, they say that password is still in cleat text, even they send me the screen shot. see the image below.
What else I can do for hiding that password?
If you people want my code so please let me know, I'll put all code in my next writeup.
Thanks