0

Possible Duplicate:
Best way to store password in database

does anyone know a way to secure a password that the user is creating on the site which is then saved in a database table?

The passwords are currently stored as Plain text, I know..I Know!

Thanks

Community
  • 1
  • 1
Funky
  • 12,890
  • 35
  • 106
  • 161
  • And you found no post related to this on SO ? Like this http://stackoverflow.com/questions/6563269/how-to-save-the-password-in-c-sharp-net – V4Vendetta Jun 12 '12 at 10:27
  • http://stackoverflow.com/questions/1054022/best-way-to-store-password-in-database – David Brabant Jun 12 '12 at 10:27
  • Is this a password that is only used to log in to the site, or is it used to perform some action on behalf of the user? – Gabe Jun 12 '12 at 10:27
  • 1
    You don't store the password in the database, you store a secure hash of the password so that you can authenticate the users knowledge of the password. The definition of `secure hash` changes depending on when you read this comment. – Jodrell Jun 12 '12 at 10:29
  • This really depends on the scenario. Is it okay to send the cleartext password from the client to the server? If not, you would have to encrypt it in javascript or the likes. Otherwise, you can use one of the various algorithms to encrypt it on the server and only store the hash as described here [http://stackoverflow.com/questions/2138429/hash-and-salt-passwords-in-c-sharp]. – Franky Jun 12 '12 at 10:31

4 Answers4

2

The standard answer goes like this: Do not store passwords in clear text. Store hashed versions of passwords. When you hash passwords - choose appropriate hashing algorithm and use unique salt values as well. http://www.troyhunt.com/2011/06/owasp-top-10-for-net-developers-part-7.html

Also PLEASE read this. http://krebsonsecurity.com/2012/06/how-companies-can-beef-up-password-security/

Some hashing algorythms are too fast (or too easy to break using modern computing power). Use password hashing algoritms (like scrypt).

DmitryK
  • 5,542
  • 1
  • 22
  • 32
1

Salt the password using a per-record salt (i.e. all users use a different salt based on some piece of user information). Than take this salted password and hash it using some hashing algorithm such as an SHA hash.

See for example Hash and salt passwords in C#

Community
  • 1
  • 1
Anders Forsgren
  • 10,827
  • 4
  • 40
  • 77
0

You can secure a password by hashing it

Dennis Traub
  • 50,557
  • 7
  • 93
  • 108
0

You can hash it using md5 encrypt.

Oleksandr Fentsyk
  • 5,256
  • 5
  • 34
  • 41
  • No, MD5 hashing (not encrypting) is a bad idea these days. SHA-1 is a bad idea too. – DmitryK Jun 12 '12 at 10:33
  • Very confusing when you have hash and encrypt in one line – V4Vendetta Jun 12 '12 at 10:33
  • MD5 (or any algorithm that's computationally trivial) is a poor choice for hashing passwords. As of writing PBKDF2 with at least 10,000 interations is a good choice. Implmented in the Framework by [Rfc2898DeriveBytes](https://msdn.microsoft.com/en-us/library/system.security.cryptography.rfc2898derivebytes%28v=vs.110%29.aspx). – stevieg May 26 '15 at 00:36