How can I encrypt and decrypt passwords in C#? Thanks for any help.
Asked
Active
Viewed 1,924 times
2
-
1explain more. do you really need to encrypt or just hashing would do the job? give us some context. – Alex Duggleby Oct 03 '09 at 12:56
-
encrypting the given plain text to a encrypt value to store in database and decrypting the encrypted value to plain text. – Mercy Joseph Oct 03 '09 at 13:12
2 Answers
10
First, you're not actually going to save the encrypted password anywhere, rather you'd perform a one-way hash (e.g., SHA) store that hash. Then when you challenge a user for his password, you perform the same hash. If the new hash matches the stored hash, you've got a match.
The difference between a hash and encryption is that with encryption, you can recover the original text, where with a hash you cannot.
Read up on SHA (Secure Hashing Algorithm) and other hashing algorithms. This should give you a good start.
Even better, learn about the built in Membership API in .NET. It's almost trivial to implement and it manages all that unpleasantness about userid's, passwords, logging in, logging out and a lot more for you.
Bob Kaufman
- 12,864
- 16
- 78
- 107
-
3good answer, except that MD5 should NOT be used for security related implementation anymore. – Jacco Oct 03 '09 at 13:00
-
In the typical case you are correct, you'd generally store a password hash, but there are exceptions. I have an application where I store actual passwords. It's a guest account system for our University. Rather than expose passwords to our Help Desk staff I provide a way to reset a guest's password to the original if they have forgotten what they changed it to. It stores these using reversible encryption in a database. You can store encrypted anything as long as you keep the secret key, secret. – tvanfosson Oct 03 '09 at 13:01
-
@Jaccco - what the heck was I thinking?! It's early. SHA, not MD5. Thanks for the tap. Edited accordingly – Bob Kaufman Oct 03 '09 at 13:05
-
1@Bob Kaufman - SHA-1 is close, theoretically, to be broken. There'll be another shift soon :D – Calyth Oct 03 '09 at 13:07
-
@tvanfosson - You've sent me looking for a definitive article "why we hash rather than encrypt passwords", can't find it. I suppose it depends on the value of the account the password protects. I certainly wouldn't trust a financial institution that can recover my password. – Bob Kaufman Oct 03 '09 at 13:09
-
@tvanfosson - here's a pretty good one, right in our collective backyard: http://stackoverflow.com/questions/326699/difference-between-hashing-a-password-and-encrypting-it – Bob Kaufman Oct 03 '09 at 13:13
-
-1 for lack of mentioning providing salt in the hash, +1 for mentioning not to re-invent the wheel. – csharptest.net Oct 03 '09 at 13:41
-
You should use the BCrypt algorithm, not MD5 or SHA. BCrypt is designed to be slow, so bruteforce will take much longer time (you can actually set a strength per hash). Also the salt is stored with the hashed value, so you can't forget to use a salt. – Troels Thomsen Oct 03 '09 at 14:15
-
+1 for mentioning SHA-1 being very close to broken. SHA-2 is too close to SHA-1 algorithmically as well, so it should not be used in the long term if you can help it. – Jason M Nov 11 '10 at 22:20
2
UPDATED
See this answer: C# Password Encryption
-- or --
Read this post: http://csharptest.net/470/another-example-of-how-to-store-a-salted-password-hash/
There is lots of good and bad information on the internet about storing passwords. You need to know two things:
- You should use a 'salted' hash to prevent dictionary attacks
- You use at minimal the SHA256 hash provider
A quick search gave me this sample code: http://www.obviex.com/samples/hash.aspx
and I'd go with this SaltedHash utility class (looks fairly complete at a glance):
http://www.dijksterhuis.org/creating-salted-hash-values-in-c/
Community
- 1
- 1
csharptest.net
- 62,602
- 11
- 71
- 89