Encrypting passwords for use in Database AES or RijndaelManaged?

Question

I am having a dilemma in choosing which encryption to use. I have to store passwords in a database. I would like to encrypt the passwords. I am using C# and am looking for reasons between AES and RijndaelManaged. I have looked for a succinct answer but I can find none which clearly states which is better today.

If one can provide a link, I would appreciate it.

Are you sure you want to *encrypt* the passwords? Shouldn't you be *hashing* them instead? Encrypting is a two-way process, passwords can be decrypted. Hashing is a one-way process. — dcastro, May 15 '14 at 13:06
Never store passwords, encrypted or not in the database. Only hashes. — Samuel, May 15 '14 at 13:08
I would like to encrypt the passwords in a database, and then allow the user to edit the passwords. It's going to be a local system, there is going to be no network access so should be more secure. but is there a method to allow password to be encrypted, stored in database, then decrypted, then edited, then recrypted? — , May 15 '14 at 13:20
What is wrong with allowing users to **reset** (rehash) the passwords? This never remain the same. In the future, your application might have to be put online, and then nobody would care about hashing passwords. The excuse would be that too many users would have to be reset. — Agent Shark, May 15 '14 at 13:30
Just use the method practically every web site uses for password change ... if you want to change your password you have to supply your existing password and a new one. If the hash of the entered old one doesn't match the hash stored then you can't change it. — Mashton, May 15 '14 at 13:30

score 3 · Answer 1 · edited May 23 '17 at 11:50

3

If possible, you should use salted passwords with a one-way hash.

Hash and salt passwords in C#

edited May 23 '17 at 11:50

Community

1
1

answered May 15 '14 at 13:08

Chad

164
10

1

Not if possible. You SHOULD store passwords as a hash. Full Stop! – Agent Shark May 15 '14 at 13:15
@AgentShark Not *quite* that simple... what if you're writing a password vault service? – Casey May 15 '14 at 14:34
@emodendroket Good scenario. I assumed the usual, since it was not mentioned. – Agent Shark May 15 '14 at 14:41

score -1 · Answer 2 · edited May 23 '17 at 12:27

-1

In looking at this article The Differences Between Rijndael and AES, the differences mentioned are negligible considering you want to only encrypt passwords (assumingly of small length < 30 characters).

Also see Is the RijndaelManaged Class in C# equivalent to AES encryption?

edited May 23 '17 at 12:27

Community

1
1

answered May 15 '14 at 14:47

Agent Shark

517
2
6

Encrypting passwords for use in Database AES or RijndaelManaged?

2 Answers2