Are there any security concerns in choosing to hash a user password at the application level in ASP.NET vs at the database level in SQL CLR? I'm seen it done both ways.

My thinking is that in the application level, the password is only sent once from the browser to the webserver. In a database implementation, the password is sent a second time to the database for hashing.

In the latter case, someone running SQL Server Profiler would be able to see the password sent to the procedure or function in plaintext. I'm not too familiar with SQL Server Auditing, but if it had the ability to capture similar information it would pose a risk as well.

You should hash the password in your application, not in you database. This means that:

• Browser to application -> password is send in plain text protected by ssl
• application to database -> password is allways hashed

Now you have no problem with someone running a profiler, because the passwords are hashed. Besides that if someone can run a profiler, he can probably do much more damage then reading the passwords...

Hash in the application layer using scrypt or bcrypt, don't depend on general purpose hashing algorithms (MD5, SHA1, SHA512, etc) because of these reasons.

Here are .Net implementations for scrypt and bcrypt.