0

I am using the Aesmanaged class to encrypt/decrypt passwords, per the code in this link https://msdn.microsoft.com/en-us/library/system.security.cryptography.aesmanaged(v=vs.110).aspx

We have a system to store user passwords encrypted. My question is do we store the user passwords with one key/IV pair for all users or one Key/IV pair for each user. What are the pros/cons for each approach?

Nir Alfasi
  • 53,191
  • 11
  • 86
  • 129
user5286044_K
  • 9
  • 4
  • 7
    You really shouldn't encrypt your users' passwords. You should hash them with a per user salt and many iterations (PBKDF2, bcrypt, scrypt). – Artjom B. Sep 21 '15 at 23:05
  • Thanks, that helps. I did browse through in the direction you mentioned and yes, it makes a lot of sense. In doing so I came across this question: http://security.stackexchange.com/questions/80623/hashing-vs-one-way-encryption, which I guess is the way to go. Or is there a better practice? – user5286044_K Sep 21 '15 at 23:27
  • 1
    Since there is no code, it is not really helpful. [This](http://stackoverflow.com/a/10402129/1816580) much more helpful, but nowadays you should specify a couple million iterations. – Artjom B. Sep 21 '15 at 23:34
  • Thank you. I am unable to mark this as the answer to my question, let me know how i can do it. – user5286044_K Sep 22 '15 at 20:00
  • possible duplicate of [How to hash a password](http://stackoverflow.com/questions/4181198/how-to-hash-a-password) – Artjom B. Sep 22 '15 at 20:03
  • This is not an answer, but a comment. That is why you can't accept it. Technically, I didn't answer your question. However, you should see a button above your question mark it as a duplicate of another question which should answer your actual problem. Be aware of the [X Y Problem](http://meta.stackexchange.com/q/66377/266187) in the future. – Artjom B. Sep 22 '15 at 20:05

0 Answers0