0

I have planned to send the encrypted password from the application back to the user. I am currently using AES to encrypt user passwords.

I want to send the user's encrypted password back to them in the browser to help them with automatic logging in after a forgot password action.

Is it safe to do this?

Jeeva Jsb
  • 177
  • 1
  • 1
  • 8
  • 5
    What is this password for? Why do you want to pass a password to the user? Why is it encrypted instead of hashed? There are several things that need to be clarified here. – h4ckNinja Jun 20 '16 at 03:08
  • I am using cryptography rijndael for encryption. I have come across some article that this is secured encryption. So I didn't go to hashing. Is this a bad idea to choose rijndael encryption for user's password? – Jeeva Jsb Jun 20 '16 at 03:26
  • 2
    For user passwords, yes, always hash. – h4ckNinja Jun 20 '16 at 03:37
  • Oh, then I have bigger security hole in my application. Right?. Can you suggest any other c# password hashing techniques? – Jeeva Jsb Jun 20 '16 at 03:45
  • Bcrypt is an accepted hashing algorithm. But the other questions for clarification need to be answered so that I can more fully give you a response. – h4ckNinja Jun 20 '16 at 04:09
  • My application is web application and I am using Asp.net identity for token generation in web api. (http://bitoftech.net/2014/07/16/enable-oauth-refresh-tokens-angularjs-app-using-asp-net-web-api-2-owin/). From my web application, I will generate token after successful login. This will be used for the next requests (http://stackoverflow.com/questions/37909467/create-refresh-token-through-c-sharp-code-asp-net-identity). I can not create context and generate refresh token through web api controller for the forgot password reset. – Jeeva Jsb Jun 20 '16 at 04:17
  • So planned to send the encrypted password and username to the user interface and send them back to api for automatic login after reset password. – Jeeva Jsb Jun 20 '16 at 04:20

1 Answers1

7

Short answer: This is extremely dangerous and must be avoided.

There are a few things here that should be changed. First, user passwords must always be hashed. As I said in the comments, bcrypt is a common and appropriate hashing mechanism.

Secondly, sending credentials back to a user leaves it open for abuse by an attacker - there is never a good reason to send this information back to the user. When a user exercises the forgot password functionality of an application, they should log back in with the new password. This removes your feature of logging the user in with their own encrypted password automatically.

h4ckNinja
  • 3,006
  • 15
  • 24