I am developing an ASP.NET MVC system, SQL Server database, which will have logins control, and to encrypt the password, I have developed the following functions and procedures:
CREATE FUNCTION [dbo].[ENCRIPTA_SENHA]
(
-- Add the parameters for the function here
@SENHA VARCHAR(200)
)
RETURNS VARBINARY(200)
AS
BEGIN
DECLARE @pwd varchar(50) = 'maicongabriel', @RESULTADO VARBINARY(256)
set @RESULTADO = ENCRYPTBYPASSPHRASE(@PWD, @SENHA)
RETURN @RESULTADO
END
CREATE FUNCTION [dbo].[DECRIPTA_SENHA]
(
-- Add the parameters for the function here
@SENHA VARCHAR(200)
)
RETURNS VARCHAR(200)
AS
BEGIN
DECLARE @pwd varchar(50) = 'maicongabriel'
RETURN CAST(DECRYPTBYPASSPHRASE(@pwd,@SENHA) As VARCHAR(200))
END
CREATE PROCEDURE [dbo].[VALIDA_SENHA]
-- Add the parameters for the stored procedure here
@USUARIO VARCHAR(200), @SENHA varchar(200)
AS
BEGIN
-- SET NOCOUNT ON added to prevent extra result sets from
-- interfering with SELECT statements.
SET NOCOUNT ON;
-- Insert statements for procedure here
SELECT X.USUARIO FROM
(SELECT USUARIO, DBO.DECRIPTA_SENHA(SENHA) SENHA FROM USUARIOS_TESTE A ) AS X
WHERE X.USUARIO = @USUARIO AND X.SENHA = @SENHA
END
When I'm going to do the insert in the bank via ASP.NET MVC, I would do the same thing in more or less this way:
INSERT INTO USUARIOS_TESTE SELECT 'daniel', dbo.ENCRIPTA_SENHA('123456')
And when I process the login form, I would use my procedure and see if it has returned:
VALIDA_SENHA 'DANIEL','123456'
Is it a good practice to do this? Is there any better way? Because then the passwords will be encrypted in the database, and in the ASP.NET source code only the execution of ENCRIPTA_SENHA and VALIDA_SENHA ..