2

Possible Duplicate:
Preferred Method of Storing Passwords In Database

My problem is similar to this one discussed here: Best way to store password in database

I need to store passwords of external FTP logins in the database which will be used by the application. The solution of the linked topic is not applicable because it's hashing the password.

I'm using C# and connecting to a SQL Server 2008. Does someone has an example solution? I think I just have to encrypt the password, store it in ecrypted form and if the application wants to use the password -> decrypt.

Community
  • 1
  • 1
niklr
  • 1,671
  • 3
  • 24
  • 40

2 Answers2

2

The best way of storing passwords is using a strong hash function, however, as in your case here you sometimes need to pass an unencrypted string to a 3rd-party library or service.

In this case I would use the strongest cipher (so you can reverse it) algorithm you could.
Always use a well-known, trusted and well-tested 3rd-party library for your encryption needs, it's far to easy to this wrong unless you're an expert in the field of encryption.

Since version 2005, SQL Server has had built-in hashing functions (direct in T-SQL) so may have built-in cipher functions as well, see T-SQL cryptographic functions for details and examples.

For FTP use it's worth seeing if the FTP site supports secure FTP (FTPS) or FTP over SSH, note these are both different from SFTP which is not related to FTP except that it does the same job.
See FTP on Wikipedia.

SteB
  • 1,999
  • 4
  • 32
  • 57
1

Probably the best version is if u encrypt the pass and store it to database, then when application need to check if password is correct u don't decrypt the stored password, but u have to encrypt the inserted one and check if they are the same.

There are many good encrypting algorithems around example: Simple insecure two-way "obfuscation" for C#

However u can always write your own, it's a lot of fun...

Community
  • 1
  • 1
gabrjan
  • 3,080
  • 9
  • 40
  • 69
  • My application will need the password to log onto an external FTP. The credentials will be provided before and thus have to be stored in the database. So encrypt once and decrypt everytime I need the password is the way to go? – niklr Oct 04 '12 at 08:06
  • Well if u put it that way. Than u realy should decrypt it and probably store it so u don't need to do it evrytime. – gabrjan Oct 04 '12 at 13:22