Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I am working on an application that is targetted at non technical users. I expect a large number of support calls regarding lost passwords and inability to login.
I am using ASP.NET membership provider that provides 3 options for storing passwords – Clear text, Hashed, Encrypted.
Is it a good idea to store passwords in clear text given the nature of this application? Are there any legal issues involved in storing passwords in clear text?
Never.
There is never a good reason to store passwords in your database, ever. Especially not in clear text. You should be storing the hash of the password only.
The worst thing you can do to a user is broadcast their “recovered” password across the Internet in a clear-text e-mail. It is so easy to simply store a one-way hash of the password which cannot be recovered.
For lost passwords, you simply reset their password and give them a temporary password which they have to change when they log in. Safe and secure.
People often use the same passwords for multiple applications (especially non-technical users). So your application will likely contain the passwords for people’s bank accounts, email, etc.
You have a responsibility to secure users’ passwords, no matter how trivial your application is.