1

I am storing user logon encrypted passwords in a database (SQL Server). Because of an API restriction, the passwords need to be encrypted on the C# end of things, so I can't use the database's built-in encryption. what is the fastest/easiest way to encrypt these passwords so I can compare them to what the user would have typed in to a third-party service later?

I am new to C# and I understand that passwords should never be in plain text so that's why I want to make sure I have the highest security. I have tried using the RSA.EncryptValue() function but I'm pretty lost as to how to use it correctly.

Any help is appreciated - thanks in advance.

-Jimmy

james
  • 170
  • 1
  • 3
  • 9
  • 3
    fastest / easiest / highest security. Choose one. – Mark Byers Apr 19 '12 at 21:00
  • 2
    http://stackoverflow.com/questions/4181198/how-to-hash-a-password – Ken Browning Apr 19 '12 at 21:00
  • ken - that won't work for me, i need to compare the passwords to a third party service so I need the original, let me rephrase the question. – james Apr 19 '12 at 21:09
  • @james if you need to original password to send a third party you need to decrypt. hashed passwords are one way and you can't get original password. As you asked in your question, you can encrypt and than decrypt password with rsa as in my answer. – Nesim Razon Apr 19 '12 at 21:16
  • 1
    @NesimRazon answering the question's one thing, encouraging bad practices is just daft. I'd love to know what third party genuinely considers it ok to accept authentication in this way rather then Token Exchange or OAUTH. – Chris McKee Apr 19 '12 at 21:19
  • chris - it's a piece of shit legacy system that I wish I never had to lay eyes on – james Apr 19 '12 at 21:23
  • @james your a .net developer; a hell of allot of stuff you'll come across in your career will be just that ;) – Chris McKee Apr 19 '12 at 21:49

3 Answers3

12

You don't want to encrypt and store passwords. You want to generate a hash and store that. Then, when a user is logging in, you regenerate the hash and compare it to the one stored in the database.

The answers to this question provide examples of how one might hash a password in c# (one answer includes information on doing a "salted" hash).

Community
  • 1
  • 1
Steve Wellens
  • 20,506
  • 2
  • 28
  • 69
  • actually, I do want to encrypt and store the password! if I wanted to hash the password I would have asked that instead – james Apr 19 '12 at 21:16
  • You can't have the highest security if you store passwords (encrypted or not). Comparison of "passwords" should always be done with a hash. – Peter Ritchie Apr 19 '12 at 22:09
  • You are right I was supposed to hash - serves me right for reading the worthless docs – james Apr 25 '12 at 21:58
3

Firstly dont encrypt; hash. Secondly dont encrypt; hash.

A password should never be recoverable.

I'd advise reading... http://www.troyhunt.com/2010/05/owasp-top-10-for-net-developers-part-1.html front to back.

You should salt your passwords and hash using a decent hashing algorithm; take SHA512 for the low end, or if your serious about protecting that data look at something more along the lines of BCrypt http://code.google.com/p/bcryptnet/

The point in hashing rather than encrypting isn't to secure your site against brute force attacks, but more importantly, is to secure your users against data loss.

i.e. http://www.bbc.co.uk/news/technology-11998648 - Gawker https://www.google.co.uk/search?sourceid=chrome&ie=UTF-8&q=sony+hacked

People put allot of trust in the hands of web developers taking care of their, often pathetic, passwords. Taking good care of them can make a hell of a lot of difference.

With BCrypt you set a workfactor to the salting; I would also add a database salt (see the troy hunt membership provider article on how MSFT does it) to increase the original password value.

Example from the BCrypt site (BCrypt.net is also a NUGET package)

 // Pass a logRounds parameter to GenerateSalt to explicitly specify the 
 // amount of resources required to check the password. The work factor  
 // increases exponentially, so each increment is twice as much work. If 
 // omitted, a default of 10 is used. 

 string hashed = BCrypt.HashPassword(password);

 // Check the password. 
 bool matches = BCrypt.CheckPassword(candidate, hashed);

Hope thats been of use.

You can of course use the built in forms authentication encryption system to encrypt/decrypt your data. Though it's somewhere between daft and dangerous to encrypt passwords.

You'd also need to add a machineKey tag to your web config, microsoft provides a generator for this; http://aspnetresources.com/tools/machineKey The tool creates a 256-bit decryption key and a 512-bit validation key, with Rijndael as the data validation algorithm.

And if you DO NEED (as in you'll be shot if you don't) to start throwing plaintext passwords around, for all that is holy, check the service is restricting by IP (IPSec) and please, dear god, use SSL.

Chris McKee
  • 4,298
  • 10
  • 48
  • 83
0

Like Steve Wellens mentioned generate a hash. Hope this gives some insight on the different ones available

Steve Wellens
  • 20,506
  • 2
  • 28
  • 69
user1270384
  • 711
  • 7
  • 24
  • 53