encrypt and decrypt passwords in c#.net
+9
A:
First, you're not actually going to save the encrypted password anywhere, rather you'd perform a one-way hash (e.g., SHA) store that hash. Then when you challenge a user for his password, you perform the same hash. If the new hash matches the stored hash, you've got a match.
The difference between a hash and encryption is that with encryption, you can recover the original text, where with a hash you cannot.
Read up on SHA (Secure Hashing Algorithm) and other hashing algorithms. This should give you a good start.
Even better, learn about the built in Membership API in .NET. It's almost trivial to implement and it manages all that unpleasantness about userid's, passwords, logging in, logging out and a lot more for you.
Bob Kaufman
2009-10-03 12:56:45
good answer, except that MD5 should NOT be used for security related implementation anymore.
Jacco
2009-10-03 13:00:37
In the typical case you are correct, you'd generally store a password hash, but there are exceptions. I have an application where I store actual passwords. It's a guest account system for our University. Rather than expose passwords to our Help Desk staff I provide a way to reset a guest's password to the original if they have forgotten what they changed it to. It stores these using reversible encryption in a database. You can store encrypted anything as long as you keep the secret key, secret.
tvanfosson
2009-10-03 13:01:15
@Jaccco - what the heck was I thinking?! It's early. SHA, not MD5. Thanks for the tap. Edited accordingly
Bob Kaufman
2009-10-03 13:05:05
@Bob Kaufman - SHA-1 is close, theoretically, to be broken. There'll be another shift soon :D
Calyth
2009-10-03 13:07:02
+1 : fro membership API
Mahin
2009-10-03 13:08:01
@tvanfosson - You've sent me looking for a definitive article "why we hash rather than encrypt passwords", can't find it. I suppose it depends on the value of the account the password protects. I certainly wouldn't trust a financial institution that can recover my password.
Bob Kaufman
2009-10-03 13:09:29
@tvanfosson - here's a pretty good one, right in our collective backyard: http://stackoverflow.com/questions/326699/difference-between-hashing-a-password-and-encrypting-it
Bob Kaufman
2009-10-03 13:13:07
-1 for lack of mentioning providing salt in the hash, +1 for mentioning not to re-invent the wheel.
csharptest.net
2009-10-03 13:41:05
You should use the BCrypt algorithm, not MD5 or SHA. BCrypt is designed to be slow, so bruteforce will take much longer time (you can actually set a strength per hash). Also the salt is stored with the hashed value, so you can't forget to use a salt.
troethom
2009-10-03 14:15:54
+1
A:
There is lots of good and bad information on the internet about storing passwords. You need to know two things:
- You should use a 'salted' hash to prevent dictionary attacks
- You use at minimal the SHA256 hash provider
A quick search gave me this sample code: http://www.obviex.com/samples/hash.aspx
and I'd go with this SaltedHash utility class (looks fairly complete at a glance):
http://www.dijksterhuis.org/creating-salted-hash-values-in-c/
csharptest.net
2009-10-03 13:38:08