1

My program asks for a password and save it inside a text file and the next time i run my program if the text file exists it asks for the password and I compare it with the password inside the text file.

Now, in the real world i know a text file is not used but I don't know how I can improve my technique 'cause regardless of a encryption algorithm a text file is readable for everyone and other solution as a registry key the same.

This is an exercise and my intention is to learn if I'm were programming a commercial app then what technique I should use to store a password with a more robust security?

Marco Bonelli
  • 63,369
  • 21
  • 118
  • 128
Meska
  • 85
  • 1
  • 10

2 Answers2

1

The idea is to encrypt or hash the password but never to decrypt it. I.e. you transform your password in a way which is not reversible.

  • When the password is entered the first time, you (one way) encrypt the password and store it.
  • When a user tries to login, the entered password is encrypted again and compared with the stored one.

A code example was already provided in this answer:

byte[] data = System.Text.Encoding.ASCII.GetBytes(inputString);
data = new System.Security.Cryptography.SHA256Managed().ComputeHash(data);
String hash = System.Text.Encoding.ASCII.GetString(data);

Your program will store / compare the hash value instead of the plain password.

The code can and should be further approved. An attacker could create large dictionaries / rainbow tables of encrypted password and use them as a lookup for password cracking. This can be prevented by adding some "salt" to the password to be encrypted. Form more details see this answer.

Community
  • 1
  • 1
JimiLoe
  • 950
  • 2
  • 14
  • 22
  • Does this code salt the hash?! If not it's not really usable for passwords. – ThiefMaster Apr 14 '15 at 06:20
  • @ThiefMaster Thank you. Recommended "salt" in my answer and added a link for details. – JimiLoe Apr 14 '15 at 06:31
  • Don't use `SHA256Managed` for this, use a real password hashing algorithm like PBKDF2 or BCrypt. Those hash in multiple iterations (usually 100s to 1000s) to make it harder to bruteforce hashes. – Mark Rotteveel Apr 14 '15 at 06:53
1

It doesn't matter where you store your passwords, as long as you store only a hash of them. A text file will do pretty well, important is that you use a salt and a slow hash function with a cost factor. Algorithms like MD5 or SHA* are not appropriate to hash passwords, because they are too fast and therefore can be brute-forced too easily.

The library BCrypt.NET implements the BCrypt algorithm, which is designed to hash passwords. It will automatically add a cryptographically safe salt and includes it in the resulting BCrypt hash.

// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
string hashToStoreInDb = BCrypt.HashPassword(password);

// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from existingHashFromDb.
bool isPasswordCorrect = BCrypt.Verify(password, existingHashFromDb);

Another good algorithm is PBKDF2, crackstation.net has a good code example.

If you are interested in more detailed information, you could have a look at my tutorial about safely storing passwords.

martinstoeckli
  • 23,430
  • 6
  • 56
  • 87