[.NET] Storing an encrypted password into a database

views:

answers:

[.NET] Storing an encrypted password into a database

I thought this would've been a lot simpler but at this point I'm confused and haven't progressed at all.

Basically, I need to be able to accept a password from a user in a WPF app, encrypt it then store this in a database and be able to decrypt later on. However I'm not sure how to implement this.

This is completely trivial so whether it's safe or not doesn't matter. All I need is for it to get working only I'm unsure exactly how to do it. I've tried playing around with the DESCryptoServiceProvider() but haven't gotten anywhere.

To be clear, how exactly do I go about converting a simple password into something that's been encrypted and storing it in the database (and what fields would I store it in). At this point, I'm happy if there's only one key and that key is being defined in the source code.

Any suggestions?

Edit: To clarify further, I can't 'encode'. It has to be encrypted for the purposes of this exercise (i.e. it needs to have a key generated). I believe SHA is an encoding algorithm, not encryption.

+1 A:

You need to store an irreversible salted hashcode of the password.

Use SHA512Managed.

SLaks 2010-10-17 11:55:02

+2 A:

Is there anything against using one way encryption? SHA would do this - you don't need to decrypt it you only need to check the user is entering the correct password again, which you can do by encrypting their entered password and comparing the resulting hash to the hash stored in your database.

Remember to salt it too!

Nick 2010-10-17 11:57:13

+2 A:

Don't try and code your own scheme for this, you'll likely get something wrong and leave it insecure.

Better use something like BCrypt to do it for you.

And as for how to store it, BCrypt will return a string encoding of the hashed password that is very easy to store in the database.

To be clear, it works like this. When you first store the users password you:

get the password from the user
pass the password to the BCrypt HashPassword method
it returns a string that is the hash of the password
you store the hash in the database against the user's record

When the user comes to login later you:

get the password from the user
get the hash for the user from the database
pass the hash and the password the user provided to the BCrypt CheckPassword method
BCrypt returns true or false depending on whether the password matches

andynormancx 2010-10-17 12:08:34

Where would the key be stored?

NRaf 2010-10-17 12:14:55

What key ? It is very hard from the mixture of terms you are using exactly what you are trying to do.

andynormancx 2010-10-17 12:21:46

Apologies. I guess I had gotten myself confused. I took a second look at what my teacher actually stated and took sometime to absorb it. I had confused the distinction between encryption and encoding which, I suppose, is what lead to this mess of a posting.

NRaf 2010-10-17 12:51:45

If you are using SQL Server 2005 or later, there is built-in encryption in the database that you can use to protect the data without writing your own decrypt/encrypt code.

That article covers SQL 2005 - for SQL 2008 start here.

Encryption algorithms define data transformations that cannot be easily reversed by unauthorized users. SQL Server allows administrators and developers to choose from among several algorithms, including DES, Triple DES, TRIPLE_DES_3KEY, RC2, RC4, 128-bit RC4, DESX, 128-bit AES, 192-bit AES, and 256-bit AES.

Steve Townsend 2010-10-17 14:23:27

ansaurus

tags:

views:

answers:

[.NET] Storing an encrypted password into a database

related questions