If you are sending plain password to the database, the data originate in UI tier, ASP.NET. Therefore, before reaching the database, it passed through the network. This post can relatively easily be eavesdropped. No one is supposed to know your original password, even the database administrator with full privileges. If someone posts the hash of the password, the original password is never exposed to anything except your local computer, not even the database. The passwords stored in the database came in their hashed forms in first place; and the cryptographic hash function cannot be reversed (don't use MD5 or SHA-1 though, use, for example, one of SHA-2 algorithms). The hash is compared with hash.
For some background, please see:
http://en.wikipedia.org/wiki/Cryptographic_hash_function[
^].
One problem remains: someone could eavesdrop you hash and later impersonate you, but this is covered by using HTTPS protocol instead of HTTP:
http://en.wikipedia.org/wiki/HTTPS[
^].
See also my past answers:
i already encrypt my password but when i log in it gives me an error. how can decrypte it[
^],
Decryption of Encrypted Password[
^],
storing password value int sql server with secure way[
^].
—SA
Submit an article or tip