views:

113

answers:

3

I seen this question http://stackoverflow.com/questions/287517/encrypting-hashing-plain-text-passwords-in-database

and i am aware i shouldnt do md5("salt" + password); and i see an implementation in python for a solution.

Is there a .NET built in function with params i can use instead of writing my own?

A: 

this will probably do it:

http://msdn.microsoft.com/en-us/library/system.security.cryptography.hmacsha1.aspx

there is some sample c# code here:

http://www.obviex.com/samples/hash.aspx

jspcal
+1  A: 

I don't think there's a single function but you can do it in a few lines (here using SHA512, but there are other options):

using (var sha = new SHA512CryptoServiceProvider())
{
    byte[] hashed = sha.ComputeHash(Encoding.Default.GetBytes(saltedPassword));
    string output = Convert.ToBase64String(hashed);
}

Make sure you use one of the Crypto... classes to ensure the more secure algorithm is used.

John Bowen
Very bad plan. A hash without a salt is subject to a rainbow table attack. Your use of the crypto classes was good but you must include a salt to make this answer useful. Also, the last line should use `Convert.ToBase64String`, which is as fast as `BitConverter.ToString` and produces a much shorter string (88 bytes vs 192 bytes in this case). If these two problems are corrected this could become the best answer, IMHO.
Ray Burns
Thank you for the clarification. Yes, obviously the password should be salted before hashing which I was intending here but I see where the confusion came from. I'll update to be more explicit. Thanks for mentioning the Base64String conversion too.
John Bowen
+3  A: 

Check out FormsAuthentication.HashPasswordForStoringInConfigFile

string hashMD5 = FormsAuthentication.HashPasswordForStoringInConfigFile(Pass + Salt, "MD5");

string hashSHA1 = FormsAuthentication.HashPasswordForStoringInConfigFile(Pass + Salt, "SHA1");
Baddie