0

I am developing ASP.NET web application for a financial institution that is accessible by authenticated users. As a requirement, password for each user need to be encrypted so that Database Administrators can't have access to any user's password. I have gone through various types of encryption and hashing algorithms, but not sure which can be best suited for my requirement.

Ajay Jain
  • 93
  • 12
  • 1
    Use MS-provided AspNet Identity framework. It provides hashing and other security measures for you. Don't write security framework yourself, you most likely will make a mess of it. – trailmax Oct 11 '14 at 16:16
  • Related: http://stackoverflow.com/questions/10948994/which-of-the-net-included-hashing-algorithms-are-secure-enough-for-password-has – Steven Oct 12 '14 at 08:23

1 Answers1

1

Whenever possible, prevent storing passwords all together, for instance by using Windows Authentication. If that is not possible, use the industries best practices in storing passwords. This means that you should:

  • Use password hashing (not encryption)
  • Add a salt to the hash
  • Use a computational intensive hashing algorithm.

The big danger of storing passwords is that the passwords of thousands of users get compromised when someone breaks into your system (or your DBA steals them). Although you can every user's password in your system, users usually use the same password over and over again and this means that the user is at risk when their password is compromised. Of course it is of course bad practice to reuse passwords, this is what users do and it is our job to at least minimize the risk for our users by doing anything that is within our power to do so. Don't forget that failing to do so, might even cause your company to get sued. This happened with LinkedIn.

So for password hashing this practically means that password hashing using MD5 and SHA (even with salting) is pretty useless, since those algorithms are optimized for speed, which allows hackers compute 2300 million salted hashes per second (brute force).

Some well-known computational intensive hashing algorithm are PBKDF2, Bcrypt, PBMAC, and scrypt. In .NET there's an PBKDF2 implementation named Rfc2898DeriveBytes. Here's a good example of the use of Rfc2898DeriveBytes (complete with configurable computational intensiveness, which allows this method to allow to withstand ever increasing computing power of computers).

Using some well-known frameworks that implement best-practices might be a good idea as well. @trailmax already suggested the AspNet Identity framework, which uses PBKDF2. However, prevent from using ASP.NET's SqlMembershipProvider, since it uses SHA by default, and it's actually quite hard to reconfigure it to use a safe method.

Steven
  • 166,672
  • 24
  • 332
  • 435