0

I encrypt the password by following code

HashAlgorithm hashAlgorithm = null;
hashAlgorithm = new SHA512CryptoServiceProvider();
try 
{
    byte[] byteValue = Encoding.UTF8.GetBytes(source);
    byte[] hashValue = hashAlgorithm.ComputeHash(byteValue);

    StringBuilder sb = new StringBuilder();
    for (int i = 0; i <= hashValue.Length - 1; i++) 
    {
        sb.AppendFormat("{0:x2}", hashValue[i]);
    }

    return Convert.ToString(sb);
} 
catch 
{
    throw;
}

after that I saved it in database. now I want to retrieve actual password by decrypting it. please help me

Christos
  • 53,228
  • 8
  • 76
  • 108
Nitu Bansal
  • 3,826
  • 3
  • 18
  • 24
  • You've misunderstood what a hash does. Please read http://en.wikipedia.org/wiki/Cryptographic_hash_function – Jon Skeet Dec 02 '14 at 09:57
  • 1
    A smart guy said: "How to get a living cow out of the beefburger?". – C4d Dec 02 '14 at 10:06
  • Another issue is that a normal cryptographic hash like SHA-2 is not what you want to do for password hashing. You want a slow salted hash instead. See [How to securely hash passwords?](http://security.stackexchange.com/questions/211/how-to-securely-hash-passwords) on security.se for details. – CodesInChaos Dec 02 '14 at 16:54

1 Answers1

2

You hash a password and you don't encrypt it. That being said you cannot decrypt it.

Taken from here

Encryption transforms data into another format in such a way that only specific individual(s) can reverse the transformation. It uses a key, which is kept secret, in conjunction with the plaintext and the algorithm, in order to perform the encryption operation. As such, the ciphertext, algorithm, and key are all required to return to the plaintext.

while

Hashing serves the purpose of ensuring integrity, i.e. making it so that if something is changed you can know that it’s changed. Technically, hashing takes arbitrary input and produce a fixed-length string that has the following attributes:

  1. The same input will always produce the same output.
  2. Multiple disparate inputs should not produce the same output.
  3. It should not be possible to go from the output to the input.
  4. Any modification of a given input should result in drastic change to the hash.

Hashing is used in conjunction with authentication to produce strong evidence that a given message has not been modified. This is accomplished by taking a given input, encrypting it with a given key, hashing it, and then encrypting the key with with the recipient’s public key and signing the hash with the sender’s private key.

then what can I use with which I can convert output to input?

You should decrypt your data and not hash them. Encrypting and Decrypting data is a big subject. A good starting point is to read this. Generally, you have two types of encryoption, symmetric and assymmetric. So initially, read about them and then choose the one you think is suits your needs. Then try to implement it. You will make use of algorithms that are already implemented in .NET and can be used instantiating objects of the corresponding classes and calling specific methods.

However, I have to make a note here. Usually, we hash the passwords and we don't encrypt them. This is more secure. Taken from here:

Though hashing and encryption both provide valuable capabilities, for the vast majority of situations, there is only one right option for storing user passwords for an online application: hashing. This is a one-way function in which a hashed value cannot be reversed to obtain the original input value (i.e., the password). Symmetric encryption is based on the use of an encryption key and is a reversible operation. Anyone possessing the key can decrypt an encrypted value to obtain the original value.

Community
  • 1
  • 1
Christos
  • 53,228
  • 8
  • 76
  • 108
  • then what can I use with which I can convert output to input? – Nitu Bansal Dec 02 '14 at 10:06
  • If ur seriously asking this, read this answer again. Otherwise google for bruteforce or dictionary attack. – C4d Dec 02 '14 at 10:08
  • Implementing secure symmetric encryption after only reading MSDN documentation is practically impossible. The API is very low level, so the programmer needs to implement several pitfalls which requires quite a bit of crypto knowledge. – CodesInChaos Dec 02 '14 at 16:57
  • @CodesInChaos I agree 100% with you. However, it is a starting point, in order he get a base knowledge and then proceed. Don't you agree? – Christos Dec 02 '14 at 17:03
  • @Christos People starting that way usually end up with encryption code that appears to work but isn't secure. I'd recommend starting with either technical background to learn about all the pitfalls or with a secure high level implementation. – CodesInChaos Dec 02 '14 at 17:06
  • @CodesInChaos I would appreciate, if you could suggest anything, that I could include in my post, in order to be better. Thank you very much in advance ! – Christos Dec 02 '14 at 17:12
  • Since this question appears to be about password hashing, [How to securely hash passwords?](http://security.stackexchange.com/questions/211/how-to-securely-hash-passwords) is good for theory. I don't have a good implementation at hand, but `Rfc2898DeriveBytes` with a random per-user salt and at least 10000 iterations is a decent choice. For encryption I don't know a good article, but jbtule's answer at [Encrypt and decrypt a string](http://stackoverflow.com/a/10366194/445517) looks secure to me. – CodesInChaos Dec 02 '14 at 17:14